cvedb.io
CVE-2025-63917
HIGH · CVSS 7.1
EPSS exploitation probability: 0%
Published 2025-11-17T17:15:51.207 · Last modified 2026-06-17T09:53:40.350

Summary

PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.

Affected products

cnblogs — pdfpatcher

Does this affect you?

Add your gear to cvedb and we'll alert you only when cnblogs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.