Skip to main content

Foxit PDF Services API CVE-2026-5936

| EUVDEUVD-2026-21887 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-13 Foxit
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.3 CRITICAL

Unauthenticated network SSRF (AV:N/AC:L/PR:N/UI:N) reaching other systems justifies S:C; primary impact is confidentiality (C:H), with limited integrity via forged requests (I:L) and no real availability impact (A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jul 07, 2026 - 18:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 07, 2026 - 18:37 vuln.today
cvss_changed
Severity Changed
Jul 07, 2026 - 18:37 NVD
HIGH CRITICAL
CVSS changed
Jul 07, 2026 - 18:37 NVD
8.5 (HIGH) 9.8 (CRITICAL)
Analysis Generated
Apr 13, 2026 - 07:30 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 07:15 euvd
EUVD-2026-21887
Analysis Generated
Apr 13, 2026 - 07:15 vuln.today
CVE Published
Apr 13, 2026 - 06:57 nvd
HIGH 8.5

DescriptionNVD

An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints (e.g., cloud metadata services), or bypass network access controls, potentially leading to sensitive information disclosure and further compromise of the internal environment.

AnalysisAI

Server-side request forgery in the Foxit PDF Services API (cloud offering) lets a remote attacker supply a crafted URL that the backend fetches, coercing the server into making requests to attacker-chosen internal or external destinations. Because the service processes documents and URLs on behalf of clients, this can be abused to reach cloud metadata endpoints, internal-only services, and network zones normally shielded from the public internet, potentially disclosing credentials or sensitive data. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 8th percentile), consistent with CISA SSVC scoring exploitation as 'none'.

Technical ContextAI

This is a CWE-918 (Server-Side Request Forgery) weakness in a document-processing web API. Foxit PDF Services API is a hosted/cloud service that renders and manipulates PDFs, and such services routinely fetch remote resources (images, remote documents, callback/webhook URLs) by URL - the exact functionality that enables SSRF when the destination is not validated against an allow-list. The affected component per CPE is cpe:2.3:a:foxit_software_inc.:foxit_pdf_services_api, a server-side API rather than an installable desktop client, so the vulnerable code and its fix reside on Foxit's infrastructure. The root cause is user-controlled input flowing into a server-side HTTP client without egress filtering, allowing requests to target link-local metadata IPs (e.g. 169.254.169.254) or RFC1918 internal ranges.

RemediationAI

Because this is a Foxit-hosted cloud API, the fix was applied server-side by Foxit as of 2026-04-07 (Patch available per vendor advisory; no exact tagged version is published for a SaaS endpoint), so consumers on the live service are covered without action - confirm against Foxit's security bulletins at https://www.foxit.com/support/security-bulletins.html. Organizations that proxy or self-relay calls to this API should still add egress controls as defense-in-depth: restrict the integration's outbound path so it cannot reach cloud metadata IPs (block 169.254.169.254) and internal RFC1918 ranges, and validate/allow-list any user-supplied URLs before forwarding, accepting that legitimate internal-resource fetches will then be blocked. If you operate any on-prem or cached deployment tied to this API, verify it post-dates the 2026-04-07 fix. Review VulDB (https://vuldb.com/vuln/357097) and the NVD entry for updated version detail.

Share

CVE-2026-5936 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy