CVE-2026-5936 PUBLISHED

Server-Side Request Forgery (SSRF) via URL Parameter in Foxit PDF Services API

Assigner: Foxit
Reserved: 09.04.2026 Published: 13.04.2026 Updated: 13.04.2026

An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints (e.g., cloud metadata services), or bypass network access controls, potentially leading to sensitive information disclosure and further compromise of the internal environment.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CVSS Score: 8.5

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Foxit Software Inc.
Product	Foxit PDF Services API
Versions	Default: unaffected Version before 2026-04-07 is affected

Credits

Vedant Roy of Ultimate Kronos Group(UKG) finder

References

https://www.foxit.com/support/security-bulletins.html

Problem Types

CWE-918 Server-Side request forgery (SSRF) CWE

Impacts

Information Disclosure