What is the CVSS score of CVE-2025-56590?

CVE-2025-56590 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Html2pdf are affected by CVE-2025-56590?

A critical remote code execution vulnerability (CVE-2025-56590) affecting Apryse HTML2PDF SDK versions through 11.10 could allow attackers to execute arbitrary commands on affected servers.

Is there a public PoC exploit available for CVE-2025-56590?

Yes, a public proof-of-concept exploit is available for CVE-2025-56590. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-56590?

Within 24 hours: Inventory all systems and applications using Apryse HTML2PDF SDK and assess exposure. Implement network segmentation to isolate affected systems. Within 7 days: Disable the InsertFromURL() function if operationally feasible, or restrict access to PDF generation functionality to trusted users only. Monitor vendor communications for patch availability. Within 30 days: Upgrade to patched version immediately upon availability, or migrate to alternative PDF generation solutions if no patch timeline is provided by the vendor.

Html2pdf CVE-2025-56590

CRITICAL

OS Command Injection (CWE-78)

2026-01-22 cve@mitre.org

Command Injection RCE Html2pdf

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 12, 2026 - 15:01 vuln.today

Public exploit code

CVE Published

Jan 22, 2026 - 18:16 nvd

CRITICAL 9.8

DescriptionCVE.org

An issue was discovered in the InsertFromURL() function of the Apryse HTML2PDF SDK thru 11.10. This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server.

AnalysisAI

Apryse HTML2PDF SDK through version 11.10 has a command injection vulnerability in the InsertFromURL function allowing remote code execution when converting HTML to PDF.

Technical ContextAI

The InsertFromURL() function in Apryse HTML2PDF SDK through 11.10 fails to sanitize URLs before passing them to system commands (CWE-78), allowing injection of arbitrary OS commands.

RemediationAI

Update the SDK. Validate and sanitize all URLs before passing to conversion functions.

CVE-2025-56590 vulnerability details – vuln.today

Back

Html2pdf CVE-2025-56590

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code