CVE-2022-35583

CRITICAL

wkhtmltopdf 0.12.6 - Server-Side Request Forgery via iframe Source

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-35583. PoCs published by Momen Eldawakhly.

AI-analyzed exploit summary This exploit demonstrates a Server Side Request Forgery (SSRF) vulnerability in wkhtmltopdf 0.12.6 by embedding an iframe with an external URL in the PDF generation request. The PoC shows how an attacker can force the server to make arbitrary HTTP requests.

Description

wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.

Exploits (1)

exploitdb WORKING POC
by Momen Eldawakhly · textwebappsasp
https://www.exploit-db.com/exploits/51039

This exploit demonstrates a Server Side Request Forgery (SSRF) vulnerability in wkhtmltopdf 0.12.6 by embedding an iframe with an external URL in the PDF generation request. The PoC shows how an attacker can force the server to make arbitrary HTTP requests.

Classification
Working Poc 90%
Attack Type
Ssrf
Complexity
Trivial
Reliability
Reliable
Target: wkhtmltopdf 0.12.6
Auth required
Prerequisites: Access to a vulnerable wkhtmltopdf instance · Valid __RequestVerificationToken
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.1066
EPSS Percentile 95.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-918
Status published
Products (1)
wkhtmltopdf/wkhtmltopdf 0.12.6
Published Aug 22, 2022
Tracked Since Feb 18, 2026