CVE-2025-69627

Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc. During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper...

CVE-2025-66769

A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows an attacker to cause a Denial of Service via a crafted XFA packet. Affected product: Nitro PDF Pro for Windows; vulnerability type: NULL pointer dereference in XFA handling; impact: DoS (availability impact high). No exploi...

CVE-2025-69624

Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference in the JavaScript app.alert() implementation. When called with more than one argument and the first is null (e.g., app.alert(app.activeDocs, true) with activeDocs null), the engine routes to a fallback path for non-string arg...

CVE-2025-69627

CVE-2025-69627 : Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free in the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. The freed m...

📄 Dolibarr 22.0.4 Command Injection

Dolibarr versions 22.0.4 and below suffer from a remote code injection vulnerability via via MAINODTASPDF. CVE-2026-23500: OS Command Injection RCE via MAINODTASPDF configuration in Dolibarr Overview | Field | Details | |---|---| | CVE ID | CVE-2026-23500 | | Severity | CRITICAL | | Advisory |...

PT-2026-32376

Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert. When app.alert is called with more than one argument and the first argument evaluates to null for example, app.alertapp.activeDocs, true when app.activeDocs is null...

CVE-2025-66769

A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service DoS via a crafted XFA packet...

EUVD-2019-20137

eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to pdf.php with crafted SQL payloads in the 'id' parameter to extract sensitive...

CVE-2019-25707 eBrigade ERP 4.5 SQL Injection via pdf.php

eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to pdf.php with crafted SQL payloads in the 'id' parameter to extract sensitive...

CVE-2019-25707

The CVE-2019-25707 entry affects eBrigade ERP 4.5, where an SQL injection exists in pdf.php via the id parameter. Authenticated attackers can send crafted GET requests to retrieve arbitrary SQL results, including table names and database schema details. Documents consistently describe this as a v...

PT-2026-32169

eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to pdf.php with crafted SQL payloads in the 'id' parameter to extract sensitive...

Exploit for CVE-2026-23500

CVE-2026-23500: OS Command Injection RCE via MAINODTASPDF...

Pypdf: Manipulated XMP Metadata Entity Declarations Can Exhaust RAM

Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. Patches This has been fixed in "pypdf==6.10.0" https://github.com/py-pdf/pypdf/releases/tag/6.10.0. Workarounds If you cannot upgrade yet, consider applying th...

Chromium: CVE-2026-5894 Inappropriate implementation in PDF

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

CVE-2026-31017

A Server-Side Request Forgery SSRF vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application...

Google Chrome PDF Component Memory Misreference Vulnerability

Google Chrome is a web browser from Google, an American company. A memory misreference vulnerability exists in versions of Google Chrome prior to 146.0.7680.178. The vulnerability stems from a confusion in the instructions of the PDF component responsible for freeing memory. An attacker could...

SUSE CVE-2026-5894

Inappropriate implementation in PDF in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...

CVE-2026-5894

A flaw was found in the PDF component of Google Chrome and Chromium. A remote attacker could exploit this vulnerability by tricking a user into opening a specially crafted HTML page. This could allow the attacker to bypass navigation restrictions, potentially leading to unintended actions or acce...

Adobe Reader Zero-Day Exploited via Malicious PDFs Since December 2025

Threat actors have been exploiting a previously unknown zero-day vulnerability in Adobe Reader using maliciously crafted PDF documents since at least December 2025. The finding, detailed by EXPMON's Haifei Li, has been described as a highly-sophisticated PDF exploit. The artifact "Invoice540.pdf"...

EUVD-2026-20715

Inappropriate implementation in PDF in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. Chromium security severity: Low...