CVE-2025-63917

Publication date

2025-11-17 00:00:00

Family

mitre

State

PUBLISHED

Description

PDFPatcher thru 1.1.3.4663 executables XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NETs XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victims filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.