CVE-2026-5936

HIGH 8.5

Server-Side Request Forgery (SSRF) via URL Parameter in Foxit PDF Services API

CVSS Score

8.5

EPSS Score

0.0%

EPSS Percentile

0th

An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints (e.g., cloud metadata services), or bypass network access controls, potentially leading to sensitive information disclosure and further compromise of the internal environment.

CWE	CWE-918
Vendor	foxit software inc.
Product	foxit pdf services api
Published	Apr 13, 2026
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for foxit software inc. foxit pdf services api

Be the first to know when new high vulnerabilities affecting foxit software inc. foxit pdf services api are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

Foxit Software Inc. / Foxit PDF Services API

before 2026-04-07

References

NVD ↗ CVE.org ↗ EPSS Data ↗

foxit.com: https://www.foxit.com/support/security-bulletins.html

Credits

Vedant Roy of Ultimate Kronos Group(UKG)