EXECUTIVE SUMMARY:
CVE-2026-54071 with a CVSS score of 7.8 is a high-severity vulnerability in the BabelDOC package, specifically in versions <= 0.6.2, which allows for arbitrary code execution via deserialization of untrusted pickle data in the `cmapdb.py` module. The vulnerability occurs when the `_load_data()` method strips only NUL bytes from a PDF-controlled CMap name and then passes it directly to `os.path.join()` and `pickle.loads()`, allowing an attacker to embed a hex-encoded absolute path in a crafted PDF's `/Encoding` name and redirect deserialization to any attacker-writable `.pickle.gz` file on the local system. An attacker can exploit this vulnerability by crafting a malicious PDF file and providing it as input to the BabelDOC process, requiring only the ability to upload or provide a PDF file to the system, and gaining the capability to execute arbitrary Python code with the privileges of the BabelDOC process. The business impact of this vulnerability is high, as it can lead to unauthorized access, data breaches, and lateral movement within the system. The exploitation of this vulnerability requires the attacker to have the ability to upload or provide a crafted PDF file to the system, and the presence of a writable `.pickle.gz` file on the local system that can be deserialized by the BabelDOC process.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-54071 with a CVSS score of 7.8 is a high-severity vulnerability in the BabelDOC package, specifically in versions <= 0.6.2, which allows for arbitrary code execution via deserialization of untrusted pickle data in the `cmapdb.py` module. The vulnerability occurs when the `_load_data()` method strips only NUL bytes from a PDF-controlled CMap name and then passes it directly to `os.path.join()` and `pickle.loads()`, allowing an attacker to embed a hex-encoded absolute path in a crafted PDF's `/Encoding` name and redirect deserialization to any attacker-writable `.pickle.gz` file on the local system. An attacker can exploit this vulnerability by crafting a malicious PDF file and providing it as input to the BabelDOC process, requiring only the ability to upload or provide a PDF file to the system, and gaining the capability to execute arbitrary Python code with the privileges of the BabelDOC process. The business impact of this vulnerability is high, as it can lead to unauthorized access, data breaches, and lateral movement within the system. The exploitation of this vulnerability requires the attacker to have the ability to upload or provide a crafted PDF file to the system, and the presence of a writable `.pickle.gz` file on the local system that can be deserialized by the BabelDOC process.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update BabelDOC to version 0.6.3.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-m8gf-v64p-gfmg