What is the CVSS score of CVE-2025-56589?

CVE-2025-56589 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of Html2pdf are affected by CVE-2025-56589?

Organizations using Apryse HTML2PDF SDK versions 11.6.0 and earlier face a critical vulnerability that allows attackers to read arbitrary files from servers or make unauthorized internal network…

Is there a public PoC exploit available for CVE-2025-56589?

Yes, a public proof-of-concept exploit is available for CVE-2025-56589. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-56589?

Within 24 hours: Identify all applications and systems using Apryse HTML2PDF SDK and their versions; disable HTML-to-PDF functionality if not business-critical. Within 7 days: Implement network segmentation to restrict SDK server outbound connections; deploy WAF rules to block malicious HTML inputs; monitor for suspicious file access and network requests. Within 30 days: Transition to alternative PDF libraries without known vulnerabilities or await official patch from Apryse and conduct full regression testing before deployment.

Html2pdf CVE-2025-56589

HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-01-22 cve@mitre.org

SSRF LFI Html2pdf

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 02, 2026 - 20:09 vuln.today

Public exploit code

CVE Published

Jan 22, 2026 - 17:15 nvd

HIGH 7.5

DescriptionCVE.org

A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover.

AnalysisAI

A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. [CVSS 7.5 HIGH]

Technical ContextAI

Classified as CWE-918 (Server-Side Request Forgery (SSRF)). Affects Html2Pdf. A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2025-56589 vulnerability details – vuln.today

Back

Html2pdf CVE-2025-56589

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code