CVE-2025-56590

CriticalPublic PoCRCE

Published: 22 January 2026

Published

22 January 2026

Modified

12 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 9.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56590 is a critical-severity OS Command Injection (CWE-78) vulnerability in Apryse Html2Pdf. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the OS command injection flaw in the Apryse HTML2PDF SDK by requiring installation of security patches beyond version 11.10.

SI-10 Information Input Validation good match

prevent

Validates and sanitizes URL inputs to the InsertFromURL() function to block malicious payloads that enable OS command injection.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the SDK process to limit the scope and impact of arbitrary OS commands executed via the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

OS command injection in publicly accessible SDK function enables remote exploitation of public-facing app (T1190) and direct arbitrary command execution via command interpreter (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in the InsertFromURL() function of the Apryse HTML2PDF SDK thru 11.10. This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server.

Deeper analysisAI

CVE-2025-56590 is a vulnerability in the InsertFromURL() function of the Apryse HTML2PDF SDK through version 11.10. This flaw, classified under CWE-78 (OS Command Injection), allows an attacker to execute arbitrary operating system commands on the local server where the SDK is deployed. The issue was published on 2026-01-22 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by any unauthenticated attacker with network access to the affected application, requiring low complexity and no user interaction. By providing a specially crafted URL to the InsertFromURL() function, an attacker can inject malicious commands, leading to remote code execution (RCE) on the server. This grants full control over the local system, enabling data theft, persistence, or further lateral movement.

Advisories and additional details are available from the vendor at http://apryse.com and from Stratascale at https://www.stratascale.com/resource/apryse-server-argument-injection-rce/, which describe the argument injection leading to RCE.