EUVD-2026-21887
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
1Description
An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints (e.g., cloud metadata services), or bypass network access controls, potentially leading to sensitive information disclosure and further compromise of the internal environment.
Analysis
Server-Side Request Forgery (SSRF) in Foxit PDF Services API allows low-privileged remote attackers to force the server to make HTTP requests to arbitrary destinations, including internal network services and cloud metadata endpoints. With a CVSS score of 8.5 and changed scope (S:C), authenticated attackers can leverage this to probe internal infrastructure, access restricted resources like AWS/Azure metadata services (169.254.169.254), and exfiltrate sensitive information including credentials and configuration data. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running Foxit PDF Services API and identify critical instances processing sensitive documents or accessing AWS/Azure environments. Within 7 days: Implement network segmentation to restrict outbound HTTP/HTTPS requests from Foxit PDF Services API servers to only whitelisted destinations; disable access to 169.254.169.254 and internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today