CVE-2025-65875

An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://www.fpdf.org	Product
https://advisories.gitlab.com/pkg/composer/tecnickcom/tc-lib-pdf-font/CVE-2024-56520/	Third Party Advisory
https://github.com/Setasign/FPDF	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:fpdf:fpdf:1.8.6:*:*:*:*:*:*:*

History

11 Feb 2026, 19:24

Type	Values Removed	Values Added
First Time		Fpdf Fpdf fpdf
References	~~() http://www.fpdf.org -~~	() http://www.fpdf.org - Product
References	~~() https://advisories.gitlab.com/pkg/composer/tecnickcom/tc-lib-pdf-font/CVE-2024-56520/ -~~	() https://advisories.gitlab.com/pkg/composer/tecnickcom/tc-lib-pdf-font/CVE-2024-56520/ - Third Party Advisory
References	~~() https://github.com/Setasign/FPDF -~~	() https://github.com/Setasign/FPDF - Product
CPE		cpe:2.3:a:fpdf:fpdf:1.8.6:::::::*

04 Feb 2026, 17:16

Type	Values Removed	Values Added
CWE		CWE-434

03 Feb 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-03 18:16

Updated : 2026-02-11 19:24

NVD link : CVE-2025-65875

Mitre link : CVE-2025-65875

CVE.ORG link : CVE-2025-65875

JSON object : View

Products Affected

fpdf

fpdf

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

8.8 /10