CVE-2025-56590: Unspecified Vulnerability in InsertFromURL() function of Apryse HTML2PDF SDK

This critical-severity vulnerability (CVSS 9.8) exists within the `InsertFromURL()` function of the Apryse HTML2PDF SDK. Its exploitation could grant an attacker severe control over the system, potentially leading to remote code execution or complete compromise.

Imagine a factory machine designed to take a blueprint from a specific, trusted website to build a product. However, due to a flaw, if you feed it a blueprint from a malicious website, it might instead build something entirely different, like a remote control for the factory itself. This vulnerability means the SDK poorly handles external URLs provided to its `InsertFromURL()` function. An attacker can craft a malicious URL that, when processed, executes their own commands on the server instead of just fetching a legitimate document. This bypasses security measures, giving them power over the host system.

CVE-2025-56590 - Critical Vulnerability - TheHackerWire - Featured Image

TLDR

This article from TheHackerWire discusses CVE-2025-56590, a critical vulnerability in the Apryse HTML2PDF SDK up to version 11.10, which allows attackers to execute arbitrary OS commands on the local server. It has a CVSS score of 9.8, indicating a high risk of exploitation. To mitigate this risk, users should apply vendor patches, update software, and monitor for exploitation.