CVE-2022-38648

CVE-2022-38648: PDFTranscoder does not block external resources

Vendor Apache Software Foundation

Product Apache XML Graphics

Weakness CWE-918 · SSRF

Published September 22, 2022

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.

Key dates

02Disclosure timeline

September 22, 2022 CVE published

November 3, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-38648 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

04Related CVE

CVE-2025-13809 orionsec orion-ops SSH Connection MachineInfoController.java server-side request forgery CVE-2024-27098 Blind Server-Side Request Forgery (SSRF) using Arbitrary Object Instantiation in GLPI CVE-2023-41339 Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF in GeoServer CVE-2026-49328 Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF CVE-2025-13096 XML eXternal Entity injection (XXE) vulnerability affect IBM Business Automation Workflow -