External risk intelligence

Foxit PDF Services API Server-Side Request Forgery Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-5936

The product is a PDF services API. APIs are commonly deployed as internet-facing services to facilitate remote document processing, making the service endpoint a frequent point of public network exposure.

Server-Side Request Forgery

Foxit Pdf Services Api

before 2026-04-07

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in the Foxit PDF Services API. An attacker could exploit this by sending a specially crafted URL, causing the service to make requests to unintended locations. This could allow them to scan internal networks, access sensitive cloud information, or bypass security measures, potentially leading to data breaches and further system compromise.

  • Attackers can trick the service into making unexpected network requests.
  • It risks internal network probing and data exposure.
  • Confirm relevance and assess potential exposure to internal systems.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted URL to the server. This allows the server to be tricked into making requests to any destination chosen by the attacker. This could be used to scan internal networks, access restricted endpoints, or bypass security measures, potentially leading to the exposure of sensitive data and further system compromise.

  • Accessible via the network.
  • Crafted URL triggers server-side request.
  • Sensitive data exposure and compromise.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an attacker could manipulate server-side HTTP requests to access internal network services or cloud metadata endpoints. This may lead to the disclosure of sensitive information and compromise of the internal environment.

  • Server-side HTTP requests.
  • Crafted URLs trigger server requests.
  • Sensitive information disclosure possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Foxit PDF Services API allows attackers to control server-side HTTP requests, potentially leading to internal network probing, access to sensitive endpoints, and further compromise. Technical leaders and security teams should first identify all instances of the affected API, determine their network reachability and business criticality, and locate the accountable owner before planning remediation.

  • Identify affected API instances.
  • Confirm network exposure and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Foxit PDF Services API?

Foxit PDF Services API is a software component designed to automate document workflows. It allows developers to integrate capabilities such as file conversion, merging, and document manipulation directly into their own applications or web services, often acting as a backend processing engine for handling PDF files in enterprise environments.

What does CWE-918 mean for CVE-2026-5936?

CWE-918 refers to Server-Side Request Forgery (SSRF). In the context of this CVE, it means the application fails to validate the destination of network requests it makes on behalf of users. An attacker provides a specific URL, tricking the server into acting as a proxy to send requests to locations it was not intended to reach, such as internal databases or private administrative interfaces.

How do I trigger this SSRF vulnerability?

An attacker triggers this by submitting a specially crafted URL to the API endpoint where a standard request is expected. The vulnerability is triggered by the service's own processing logic when it reaches out to the attacker-supplied address. Simply sending a valid, non-malicious URL for legitimate document processing does not trigger the bug; the server must be manipulated into requesting an unauthorized or arbitrary destination.

Is my Foxit PDF Services API deployment at risk?

According to Halo Surface Signal, this software is often deployed as an internet-facing service to enable remote document processing. Because it is designed to communicate over a network, any instance reachable from the public internet is at a higher risk of being targeted. You should assess if your specific instance is exposed to external traffic versus restricted to a private, internal network.

What should I do to address this CVE?

Begin by creating an inventory of all active Foxit PDF Services API instances within your environment. Once identified, evaluate the network accessibility of each instance and determine its importance to your business operations. Work with the owners of these systems to verify the current version and schedule the necessary updates to move beyond the vulnerable configuration.

References