Cyber Resilience

CVE-2025-56590

CriticalPublic PoCRCE

Published: 22 January 2026

Published
22 January 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 39.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-56590 is a critical-severity OS Command Injection (CWE-78) vulnerability in Apryse Html2Pdf. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-56590 is a vulnerability in the InsertFromURL() function of the Apryse HTML2PDF SDK through version 11.10. This flaw, classified under CWE-78 (OS Command Injection), allows an attacker to execute arbitrary operating system commands on the local server where the SDK is deployed. The issue was published on 2026-01-22 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by any unauthenticated attacker with network access to the affected application, requiring low complexity and no user interaction. By providing a specially crafted URL to the InsertFromURL() function, an attacker can inject malicious commands, leading to remote code execution (RCE) on the server. This grants full control over the local system, enabling data theft, persistence, or further lateral movement.

Advisories and additional details are available from the vendor at http://apryse.com and from Stratascale at https://www.stratascale.com/resource/apryse-server-argument-injection-rce/, which describe the argument injection leading to RCE.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in the InsertFromURL() function of the Apryse HTML2PDF SDK thru 11.10. This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection in publicly accessible SDK function enables remote exploitation of public-facing app (T1190) and direct arbitrary command execution via command interpreter (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-56589Same product: Apryse Html2Pdf
CVE-2026-28470Shared CWE-78
CVE-2025-69269Shared CWE-78
CVE-2025-24971Shared CWE-78
CVE-2026-22553Shared CWE-78
CVE-2026-22901Shared CWE-78
CVE-2026-1345Shared CWE-78
CVE-2026-6349Shared CWE-78
CVE-2025-9588Shared CWE-78
CVE-2026-24689Shared CWE-78

Affected Assets

apryse
html2pdf
11.10.0, 11.5.0, 11.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the OS command injection flaw in the Apryse HTML2PDF SDK by requiring installation of security patches beyond version 11.10.

prevent

Validates and sanitizes URL inputs to the InsertFromURL() function to block malicious payloads that enable OS command injection.

prevent

Enforces least privilege on the SDK process to limit the scope and impact of arbitrary OS commands executed via the vulnerability.

References