Papercut

Known Exploited Papercut Vulnerabilities

The following Papercut vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2023-27350: PaperCut MF/NG Improper Access Control Vulnerability is in the top 1% of the currently known exploitable vulnerabilities. The vulnerability CVE-2023-2533: PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 2 vulnerabilities in Papercut. Papercut did not have any published security vulnerabilities last year. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year.

Recent Papercut Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-5115	Mar 31, 2026	PaperCut NG/MF Embedded App Session Hijack via Insecure Channel The PaperCut NG/MF (specifically, the embedded application for Konica Minolta devices) is vulnerable to session hijacking. The PaperCut NG/MF Embedded application is a software interface that runs directly on the touch screen of a multi-function device. It was internally discovered that the communication channel between the embedded application and the server was insecure, which could leak data including sensitive information that may be used to mount an  attack on the device. Such an attack could potentially be used to steal data or to perform a phishing attack on the end user.	Papercut Ng
CVE-2026-4794	Mar 31, 2026	XSS in PaperCut NG/MF <25.0.10 via UI Fields (Auth Admin) Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).	Papercut Ng
CVE-2024-9672	Dec 10, 2024	Reflected XSS Vulnerability in PaperCut NG/MF Web Interface A reflected cross-site scripting (XSS) vulnerability exists in PaperCut NG/MF. This issue can be used to execute specially created JavaScript payloads in the browser. A user must click on a malicious link for this issue to occur.	Papercut Ng Papercut Mf
CVE-2023-39470	Nov 22, 2024	PaperCut NG print.script.sandboxed RCE via Dangerous Function Exposure PaperCut NG print.script.sandboxed Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PaperCut NG. Authentication is required to exploit this vulnerability. The specific flaw exists within the management of the print.script.sandboxed setting. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20965.	Papercut Ng
CVE-2024-8405	Sep 26, 2024	PaperCut NG/MF WebPrint: Arbitrary File Creation DoS An arbitrary file creation vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This specific flaw exists within the web-print.exe process, which can incorrectly create files that dont exist when a maliciously formed payload is provided. This can be used to flood disk space and result in a Denial of Service (DoS) attack. Note: This CVE has been split from CVE-2024-4712.	Papercut Ng Papercut Mf
CVE-2024-8404	Sep 26, 2024	Arbitrary File Deletion via WebPrint Hot Folder in PaperCut NG/MF An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server via the web-print-hot-folder. Important: In most installations, this risk is mitigated by the default Windows Server configuration, which restricts local login access to Administrators only. However, this vulnerability could pose a risk to customers who allow non-administrative users to log into the local console of the Windows environment hosting the PaperCut NG/MF application server. Update: This CVE has been updated in May 2025 to update the fixed version and fix process. Please refer to the May 2025 Security Bulletin. Note: This CVE has been split from CVE-2024-3037.	Papercut Ng Papercut Mf
CVE-2024-4712	May 14, 2024	PaperCut NG/MF Windows LE via File-Creation in Image-Handler An arbitrary file creation vulnerability exists in PaperCut NG/MF that only affects Windows servers with Web Print enabled. This specific flaw exists within the image-handler process, which can incorrectly create files that dont exist when a maliciously formed payload is provided. This can lead to local privilege escalation. Note: This CVE has been split into two (CVE-2024-4712 and CVE-2024-8405) and its been rescored with a "Privileges Required (PR)" rating of low, and Attack Complexity (AC) rating of low, reflecting the worst-case scenario where an Administrator has granted local login access to standard network users on the host server.	Papercut Mf Papercut Ng
CVE-2024-3037	May 14, 2024	PaperCut NG/ MF Windows WebPrint arbitrary file delete via local login An arbitrary file deletion vulnerability exists in PaperCut NG/MF, specifically affecting Windows servers with Web Print enabled. To exploit this vulnerability, an attacker must first obtain local login access to the Windows Server hosting PaperCut NG/MF and be capable of executing low-privilege code directly on the server. Important: In most installations, this risk is mitigated by the default Windows Server configuration, which typically restricts local login access to Administrators only. However, this vulnerability could pose a risk to customers who allow non-administrative users to log in to the local console of the Windows environment hosting the PaperCut NG/MF application server. Note: This CVE has been split into two separate CVEs (CVE-2024-3037 and CVE-2024-8404) and its been rescored with a "Privileges Required (PR)" rating of low, and Attack Complexity (AC) rating of low, reflecting the worst-case scenario where an Administrator has granted local login access to standard users on the host server.	Papercut Mf Papercut Ng
CVE-2023-39469	May 03, 2024	PaperCut NG External User Lookup RCE via Java Code Injection PaperCut NG External User Lookup Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PaperCut NG. Authentication is required to exploit this vulnerability. The specific flaw exists within the External User Lookup functionality. The issue results from the lack of proper validation of a user-supplied string before using it to execute Java code. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-21013.	Papercut Mf Papercut Ng
CVE-2024-1884	Mar 14, 2024	PaperCut NG SSRF (CVE-2024-1884) Arbitrary HTTP via ServerSide Module This is a Server-Side Request Forgery (SSRF) vulnerability in the PaperCut NG/MF server-side module that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.	Papercut Mf Papercut Ng