Low severity3.3NVD Advisory· Published Apr 16, 2026· Updated Apr 17, 2026

CVE-2026-40505

Description

MuPDF before 1.27 contains an ANSI injection vulnerability in mutool that allows attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata fields. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to terminal output when running mutool info, enabling them to manipulate terminal display for social engineering attacks such as presenting fake prompts or spoofed commands.

Affected products

Artifex/Mupdfreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/nvd
github.com/ArtifexSoftware/mupdf/commit/0f17d789fe8c29b41e47663be82514aaca3a4dfbnvd
github.com/ArtifexSoftware/mupdf/releases/tag/1.27.0nvd
www.vulncheck.com/advisories/mupdf-mutool-ansi-injection-via-metadatanvd

News mentions

No linked articles in our index yet.

cvss	0.214
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000