PatchSiren cyber security CVE debrief
CVE-2019-25729 simcy_creative CVE debrief
CVE-2019-25729 is a critical server-side template injection vulnerability in PDF Signer 3.0. This vulnerability allows unauthenticated attackers to execute PHP commands through the CSRF-TOKEN cookie parameter, potentially leading to arbitrary code execution and sensitive information disclosure.
- Vendor
- simcy_creative
- Product
- PDF Signer
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-04
Who should care
Users of PDF Signer 3.0, administrators of systems where PDF Signer 3.0 is deployed, and security teams responsible for vulnerability management.
Technical summary
The vulnerability is caused by a server-side template injection issue in PDF Signer 3.0. Attackers can craft malicious cookie values containing template injection payloads, such as shell_exec(), to execute system commands and retrieve sensitive information from the server. The vulnerability has a CVSS score of 9.3 and is classified as CRITICAL.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the vulnerability.
- Restrict access to the CSRF-TOKEN cookie parameter to prevent unauthorized modifications.
- Monitor systems for suspicious activity related to PDF Signer 3.0.
Evidence notes
The vulnerability was reported through a source item from the NVD database, with references to the vendor's product page and exploit details.
Official resources
CVE-2019-25729 was published on 2019-04-09T00:00:00.000Z and modified on 2019-04-09T00:00:00.000Z.