CVE-2022-35583
published 2022-08-22CVE-2022-35583: wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.28%
95.4th percentile
wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pandoc | — | — |
| debian | wkhtmltopdf | — | — |
| wkhtmltopdf | wkhtmltopdf | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to PDF-generation endpoints (e.g. /PDF/FromHTML) containing HTML payloads with injected <iframe> tags referencing internal/RFC-1918 IP addresses, which is the SSRF delivery mechanism for this CVE. ↗
- →Inspect the `data` or `header` POST body parameters submitted to wkhtmltopdf-backed PDF generation endpoints for embedded <iframe src="http://...internal..."> payloads. ↗
- →Alert on outbound HTTP/HTTPS requests originating from the wkhtmltopdf process (or its parent web application) to internal/private IP ranges, as this indicates successful SSRF exploitation. ↗
- ·The exploit was tested specifically on Windows ASP.NET deployments of wkhtmltopdf 0.12.6; detection logic targeting the /PDF/FromHTML endpoint may need to be adapted for other framework-specific endpoint paths. ↗
- ·Debian bookworm and bullseye packages remain open/unpatched for CVE-2022-35583 as of the tracker data; environments running wkhtmltopdf from Debian repos should treat the vulnerability as unmitigated. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-51591: A Server-Side Request Forgery (SSRF) in JGM Pandoc v3
osv·2025-07-11·CVSS 9.8
CVE-2025-51591 [CRITICAL] CVE-2025-51591: A Server-Side Request Forgery (SSRF) in JGM Pandoc v3
A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable SSRF vulnerabilities. Using the ‘--sandbox’ option or ‘pandoc-server’ can mitigate such vulnerabilities. Using pandoc with an external ‘--pdf-engine’ can also enable SSRF vulnerabilities, such as CVE-2022-35583 in wkhtmltopdf.
VulnCheck
Server-Side Request Forgery (SSRF)
vulncheck·2025·CVSS 9.8
CVE-2025-51591 [CRITICAL] Server-Side Request Forgery (SSRF)
Server-Side Request Forgery (SSRF)
A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable SSRF vulnerabilities. Using the ‘--sandbox’ option or ‘pandoc-server’ can mitigate such vulnerabilities. Using pandoc with an external ‘--pdf-engine’ can also enable SSRF vulnerabilities, such as CVE-2022-35583 in wkhtmltopdf.
Affected: JGM JGM Pandoc
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wiz.io/blog/imds-anomaly-hunting-zer
GHSA
GHSA-v2fj-q75c-65mr: wkhtmlTOpdf 0
ghsa_unreviewed·2022-08-23
CVE-2022-35583 [CRITICAL] CWE-918 GHSA-v2fj-q75c-65mr: wkhtmlTOpdf 0
wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
OSV
CVE-2022-35583: wkhtmlTOpdf 0
osv·2022-08-22·CVSS 9.8
CVE-2022-35583 [CRITICAL] CVE-2022-35583: wkhtmlTOpdf 0
wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
Red Hat
pandoc: Server-Side Request Forgery in Pandoc
vendor_redhat·2025-07-11·CVSS 9.8
CVE-2025-51591 [CRITICAL] CWE-918 pandoc: Server-Side Request Forgery in Pandoc
pandoc: Server-Side Request Forgery in Pandoc
A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable SSRF vulnerabilities. Using the ‘--sandbox’ option or ‘pandoc-server’ can mitigate such vulnerabilities. Using pandoc with an external ‘--pdf-engine’ can also enable SSRF vulnerabilities, such as CVE-2022-35583 in wkhtmltopdf.
A Server-Side Request Forgery (SSRF) flaw has been discovered in Pandoc. Maliciously crafted input can inject an iframe into pdf output.
Mitigation: When ingesting untrusted input users are advised to Pandoc's `--sandbox` option.
Package: pand
Debian
CVE-2025-51591: pandoc - A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to ga...
vendor_debian·2025·CVSS 9.8
CVE-2025-51591 [CRITICAL] CVE-2025-51591: pandoc - A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to ga...
A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. Note: Some users have stated that Pandoc by default can retrieve and parse untrusted HTML content which can enable SSRF vulnerabilities. Using the ‘--sandbox’ option or ‘pandoc-server’ can mitigate such vulnerabilities. Using pandoc with an external ‘--pdf-engine’ can also enable SSRF vulnerabilities, such as CVE-2022-35583 in wkhtmltopdf.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
Debian
CVE-2022-35583: wkhtmltopdf - wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial...
vendor_debian·2022·CVSS 9.8
CVE-2022-35583 [CRITICAL] CVE-2022-35583: wkhtmltopdf - wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial...
wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.
Scope: local
bookworm: open
bullseye: open
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.htmlhttps://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silentlyhttps://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharinghttps://wkhtmltopdf.org/http://packetstormsecurity.com/files/171446/wkhtmltopdf-0.12.6-Server-Side-Request-Forgery.htmlhttps://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silentlyhttps://drive.google.com/file/d/1LAmf_6CJLk5qDp0an2s_gVQ0TN2wmht5/view?usp=sharinghttps://wkhtmltopdf.org/
2022-08-22
Published