DEBIAN-CVE-2026-40505

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-40505

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40505.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-40505

Upstream

CVE-2026-40505

Published

2026-04-16T22:05:14.595036Z

Modified

2026-04-18T05:01:05.870465Z

Summary

[none]

Details

MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands.

References

https://security-tracker.debian.org/tracker/CVE-2026-40505

Affected packages

Debian:11 / mupdf

Package

Name: mupdf
Purl: pkg:deb/debian/mupdf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.17.0+ds1-2

1.17.0+ds1-2+deb11u1

1.19.0+ds1-1

1.19.0+ds1-2

1.20.0+ds1-1

1.20.3+ds1-1

1.21.0+ds1-1

1.21.1+ds1-1

1.21.1+ds1-2

1.21.1+ds2-1

1.22.1+ds1-1

1.22.2+ds1-1

1.22.2+ds1-2

1.23.6+ds1-1

1.23.7+ds1-1

1.23.10+ds1-1

1.23.10+ds1-2

1.24.3+ds1-1

1.24.8+ds2-1

1.24.8+ds2-2

1.24.9+ds1-1

1.24.10+ds1-1

1.25.1+ds1-1

1.25.1+ds1-2

1.25.1+ds1-3

1.25.1+ds1-4

1.25.1+ds1-5

1.25.1+ds1-6

1.25.1+ds1-7

1.25.1+ds1-8

1.25.1+ds1-9

1.27.0+ds1-1

1.27.0+ds1-2

1.27.0+ds1-3

1.27.0+ds1-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40505.json"

Debian:12 / mupdf

Package

Name: mupdf
Purl: pkg:deb/debian/mupdf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.21.1+ds2-1

1.22.1+ds1-1

1.22.2+ds1-1

1.22.2+ds1-2

1.23.6+ds1-1

1.23.7+ds1-1

1.23.10+ds1-1

1.23.10+ds1-2

1.24.3+ds1-1

1.24.8+ds2-1

1.24.8+ds2-2

1.24.9+ds1-1

1.24.10+ds1-1

1.25.1+ds1-1

1.25.1+ds1-2

1.25.1+ds1-3

1.25.1+ds1-4

1.25.1+ds1-5

1.25.1+ds1-6

1.25.1+ds1-7

1.25.1+ds1-8

1.25.1+ds1-9

1.27.0+ds1-1

1.27.0+ds1-2

1.27.0+ds1-3

1.27.0+ds1-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40505.json"

Debian:13 / mupdf

Package

Name: mupdf
Purl: pkg:deb/debian/mupdf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.25.1+ds1-6

1.25.1+ds1-7

1.25.1+ds1-8

1.25.1+ds1-9

1.27.0+ds1-1

1.27.0+ds1-2

1.27.0+ds1-3

1.27.0+ds1-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40505.json"

Debian:14 / mupdf

Package

Name: mupdf
Purl: pkg:deb/debian/mupdf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.25.1+ds1-6

1.25.1+ds1-7

1.25.1+ds1-8

1.25.1+ds1-9

1.27.0+ds1-1

1.27.0+ds1-2

1.27.0+ds1-3

1.27.0+ds1-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-40505.json"