Remote Code Execution Flaw in Soda PDF Desktop XLS File Handling
CVE-2025-14412

7.8HIGH

Key Information:

Vendor: Soda PDF
Status: Desktop
Vendor: CVE Published:; 23 December 2025

What is CVE-2025-14412?

A vulnerability has been identified in Soda PDF Desktop that relates to insufficient user warnings when handling XLS files. This flaw allows remote attackers to execute arbitrary code if a user interacts with a malicious file or web page. The vulnerability arises from the application's inability to adequately warn users about executing unsafe scripts, which can lead to significant security risks. Protect your systems by taking necessary precautions and staying updated on available patches.

Affected Version(s)

Desktop 14.0.509.23030

References

https://www.zerodayinitiative.com/advisories/ZDI-25-1085/

x_research-advisory

CVSS V3.0

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 23, 2025
Vulnerability Reserved
Dec 10, 2025

JSON