CVE-2025-55853
SSRF and LFI in SoftVision webPDF PDF Converter Before
Publication date: 2026-02-19
Last updated on: 2026-03-25
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| softvision | webpdf | to 10.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
SoftVision webPDF versions before 10.0.2 have a Server-Side Request Forgery (SSRF) vulnerability. This occurs because the PDF converter function does not verify whether the uploaded files request internal or external resources and allows protocols like http:// and file:///. An attacker can upload an XML or HTML file that, when converted to PDF, can perform internal port scanning and Local File Inclusion (LFI).
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform internal port scanning, which can reveal information about the internal network structure. Additionally, it can lead to Local File Inclusion (LFI), potentially exposing sensitive files on the server. These impacts can compromise the confidentiality and security of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know