Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network SSRF (AV:N/AC:L/PR:N/UI:N) reaching other systems justifies S:C; primary impact is confidentiality (C:H), with limited integrity via forged requests (I:L) and no real availability impact (A:N).
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionNVD
An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints (e.g., cloud metadata services), or bypass network access controls, potentially leading to sensitive information disclosure and further compromise of the internal environment.
AnalysisAI
Server-side request forgery in the Foxit PDF Services API (cloud offering) lets a remote attacker supply a crafted URL that the backend fetches, coercing the server into making requests to attacker-chosen internal or external destinations. Because the service processes documents and URLs on behalf of clients, this can be abused to reach cloud metadata endpoints, internal-only services, and network zones normally shielded from the public internet, potentially disclosing credentials or sensitive data. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 8th percentile), consistent with CISA SSVC scoring exploitation as 'none'.
Technical ContextAI
This is a CWE-918 (Server-Side Request Forgery) weakness in a document-processing web API. Foxit PDF Services API is a hosted/cloud service that renders and manipulates PDFs, and such services routinely fetch remote resources (images, remote documents, callback/webhook URLs) by URL - the exact functionality that enables SSRF when the destination is not validated against an allow-list. The affected component per CPE is cpe:2.3:a:foxit_software_inc.:foxit_pdf_services_api, a server-side API rather than an installable desktop client, so the vulnerable code and its fix reside on Foxit's infrastructure. The root cause is user-controlled input flowing into a server-side HTTP client without egress filtering, allowing requests to target link-local metadata IPs (e.g. 169.254.169.254) or RFC1918 internal ranges.
RemediationAI
Because this is a Foxit-hosted cloud API, the fix was applied server-side by Foxit as of 2026-04-07 (Patch available per vendor advisory; no exact tagged version is published for a SaaS endpoint), so consumers on the live service are covered without action - confirm against Foxit's security bulletins at https://www.foxit.com/support/security-bulletins.html. Organizations that proxy or self-relay calls to this API should still add egress controls as defense-in-depth: restrict the integration's outbound path so it cannot reach cloud metadata IPs (block 169.254.169.254) and internal RFC1918 ranges, and validate/allow-list any user-supplied URLs before forwarding, accepting that legitimate internal-resource fetches will then be blocked. If you operate any on-prem or cached deployment tied to this API, verify it post-dates the 2026-04-07 fix. Review VulDB (https://vuldb.com/vuln/357097) and the NVD entry for updated version detail.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21887