CVE-2025-46568

7.5 HIGH
Published: May 01, 2025 Modified: February 06, 2026
View on NVD

Description

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Prior to version 0.45.0, Stirling-PDF is vulnerable to SSRF-induced arbitrary file read. WeasyPrint redefines a set of HTML tags, including img, embed, object, and others. The references to several files inside, allow the attachment of content from any webpage or local file to a PDF. This allows the attacker to read any file on the server, including sensitive files and configuration files. All users utilizing this feature will be affected. This issue has been patched in version 0.45.0.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/Stirling-Tools/Stirling-PDF/commit/e15128633718cb5f9262986b3770ca592af60cda
Source: security-advisories@github.com
https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-998c-x8hx-737r
Source: security-advisories@github.com
Exploit
https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-998c-x8hx-737r
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.3%
56th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-918

Affected Vendors

stirlingpdf

Related CVEs

CVE-2026-4775 7.8
CVE-2026-33554 N/A
CVE-2026-33316 8.1
CVE-2026-33315 N/A
CVE-2026-33313 N/A