Arbitrary File Upload Vulnerability in FPDF by Setasign
CVE-2025-65875

8.8HIGH

Key Information:

Vendor: Setasign
Status: FPDF
Vendor: CVE Published:; 3 February 2026

What is CVE-2025-65875?

An arbitrary file upload vulnerability exists in the AddFont() function of FPDF versions prior to 1.87, allowing attackers to upload malicious PHP files. This security flaw can lead to remote code execution, compromising the integrity of servers using the affected versions. To mitigate this risk, it is crucial to update to the latest version of FPDF and implement proper file upload validation.

References

http://www.fpdf.org

https://github.com/Setasign/FPDF

https://advisories.gitlab.com/pkg/composer/tecnickcom/tc-...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2026
Vulnerability Reserved
Nov 18, 2025

CVE-2025-65875 Data

JSON