How to fix CVE-2025-56589?

Within 24 hours: Identify all applications and systems using Apryse HTML2PDF SDK and their versions; disable HTML-to-PDF functionality if not business-critical. Within 7 days: Implement network segmentation to restrict SDK server outbound connections; deploy WAF rules to block malicious HTML inputs; monitor for suspicious file access and network requests. Within 30 days: Transition to alternative PDF libraries without known vulnerabilities or await official patch from Apryse and conduct full regression testing before deployment.

Is Html2pdf affected by CVE-2025-56589?

Organizations using Apryse HTML2PDF SDK versions 11.6.0 and earlier face a critical vulnerability that allows attackers to read arbitrary files from servers or make unauthorized internal network requests.

CVE-2025-56589

HIGH

2026-01-22 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 02, 2026 - 20:09 vuln.today

Public exploit code

CVE Published

Jan 22, 2026 - 17:15 nvd

HIGH 7.5

Description

A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover.

Analysis

A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. [CVSS 7.5 HIGH]

Technical Context

Classified as CWE-918 (Server-Side Request Forgery (SSRF)). Affects Html2Pdf. A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover.

Affected Products

Vendor: Apryse. Product: Html2Pdf.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: +20

CVE-2025-56589 vulnerability details – vuln.today

Back

CVE-2025-56589

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-56589

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code