CVE-2026-5936

High

Published: 13 April 2026

Published

13 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0003 9.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5936 is a high-severity SSRF (CWE-918) vulnerability in Foxit (inferred from references). Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1522); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Cloud Instance Metadata API (T1522) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates crafted URL inputs to prevent attackers from controlling server-side HTTP requests to arbitrary internal destinations.

SC-7 Boundary Protection good match

prevent

Enforces boundary protections that block server-initiated connections to internal network services, cloud metadata endpoints, and unauthorized destinations.

AC-4 Information Flow Enforcement good match

prevent

Restricts information flows from the vulnerable server to only approved external destinations, mitigating SSRF exploitation for internal probing.

MITRE ATT&CK Enterprise TechniquesAI

T1522 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

T1018 Remote System Discovery Discovery

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

SSRF allows server to query internal services and cloud metadata endpoints, directly enabling remote system/service discovery and cloud instance metadata access for information disclosure.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints (e.g., cloud metadata services),…

or bypass network access controls, potentially leading to sensitive information disclosure and further compromise of the internal environment.

Deeper analysisAI

CVE-2026-5936, published on 2026-04-13, is a server-side request forgery (SSRF) vulnerability classified under CWE-918, with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N). It affects Foxit software components, as referenced in the vendor's security bulletins. The vulnerability arises when an attacker supplies a crafted URL that allows control over server-side HTTP requests, causing the server to initiate connections to arbitrary destinations.

A low-privileged remote user can exploit this issue with low attack complexity and no user interaction required. By manipulating the request, the attacker can probe internal network services, reach otherwise inaccessible endpoints such as cloud metadata services, or bypass network access controls. This may result in sensitive information disclosure and enable further compromise of the internal environment.

Mitigation details, including available patches and advisories, are provided in Foxit's security bulletins at https://www.foxit.com/support/security-bulletins.html.