Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Report generated on: March 29, 2026 at 03:20 UTC

Introduction

Our Commitment to Security

Welcome to the UniDoc Security Hub. At UniDoc, the security of our products is a top priority. We are committed to being transparent with our customers about the security of our UniPDF, UniOffice, and UniHTML libraries. This hub is a key part of that commitment, demonstrating our proactive approach to identifying and addressing security vulnerabilities.

DevSecOps Lifecycle

graph TD
    A[Developer Commits Code] --> B(CI Pipeline Starts);
    subgraph B [Continuous Integration]
        C(Build & Unit Test) --> D{Security Scans};
        subgraph D
            E[SAST Analysis];
            F[Go Package Scan];
            G[Supply Chain Scan];
        end
    end
    D --> H{Vulnerability Found?};
    H -- Yes --> I[Triage & Prioritize];
    I --> J(Remediate Vulnerability);
    J --> A;
    H -- No --> K(Release Secure Product);

Vulnerability Management

graph TD
    A[Discover] --> B(Prioritize);
    B --> C{Remediate};
    C --> D[Verify];
    D --> A;

Report generated on: March 29, 2026 at 03:20 UTC

All Products Vulnerability Report

Covered Products

Product NameRepository
UniPDFgithub.com/unidoc/unipdf
UniOfficegithub.com/unidoc/unioffice
UniHTMLgithub.com/unidoc/unihtml

Key Findings for This Reporting Period

  • Total Open Vulnerabilities: Across all products, we are currently tracking 0 open vulnerabilities.
  • Progress: Over the last 12 months, we have fixed 20 vulnerabilities, including 0 critical ones.

12-Month Combined Vulnerability Trend

xychart-beta
    title "New vs. Fixed Vulnerabilities (Last 12 Months)"
    x-axis "Month" ["2025-04", "2025-05", "2025-06", "2025-07", "2025-08", "2025-09", "2025-10", "2025-11", "2025-12", "2026-01", "2026-02", "2026-03"]
    y-axis "Count"
    bar "New" [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
    bar "Fixed" [0, 0, 0, 0, 6, 7, 0, 0, 0, 0, 3, 4]
MonthNewFixedTotal at Month End
2026-03040
2026-02034
2026-01007
2025-12007
2025-11007
2025-10007
2025-09077
2025-080614
2025-070020
2025-060020
2025-050020
2025-040020

Detailed Vulnerability List

Total Open Vulnerabilities: 0

No open vulnerabilities.

Total Fixed Vulnerabilities (Last 12 Months): 20

CVE IdentifierSeverityPackage NameDescription
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2023-36308LOWgithub.com/disintegration/imagingdisintegration Imaging 1.6.2 allows attackers to cause a panic (becaus ...
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
GHSA-vrw8-fxc6-2r93MEDIUMgithub.com/go-chi/chi/v5chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes

Report generated on: March 29, 2026 at 03:20 UTC

UniPDF Vulnerability Report

Current Status

Total Open Vulnerabilities: 0

SeverityCount
CRITICAL0
HIGH0
MEDIUM0
LOW0
UNKNOWN0
Total0

12-Month Vulnerability Trend

xychart-beta
    title "New vs. Fixed Vulnerabilities (Last 12 Months)"
    x-axis "Month" ["2025-04", "2025-05", "2025-06", "2025-07", "2025-08", "2025-09", "2025-10", "2025-11", "2025-12", "2026-01", "2026-02", "2026-03"]
    y-axis "Count"
    bar "New" [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
    bar "Fixed" [0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 2, 0]
MonthNewFixedTotal at Month End
2026-03000
2026-02020
2026-01002
2025-12002
2025-11002
2025-10002
2025-09002
2025-08032
2025-07005
2025-06005
2025-05005
2025-04005

Detailed Vulnerability List

Total Open Vulnerabilities: 0

No open vulnerabilities.

Total Fixed Vulnerabilities (Last 12 Months): 8

CVE IdentifierSeverityPackage NameDescription
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

Report generated on: March 29, 2026 at 03:20 UTC

UniOffice Vulnerability Report

Current Status

Total Open Vulnerabilities: 0

SeverityCount
CRITICAL0
HIGH0
MEDIUM0
LOW0
UNKNOWN0
Total0

12-Month Vulnerability Trend

xychart-beta
    title "New vs. Fixed Vulnerabilities (Last 12 Months)"
    x-axis "Month" ["2025-04", "2025-05", "2025-06", "2025-07", "2025-08", "2025-09", "2025-10", "2025-11", "2025-12", "2026-01", "2026-02", "2026-03"]
    y-axis "Count"
    bar "New" [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
    bar "Fixed" [0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 1, 2]
MonthNewFixedTotal at Month End
2026-03020
2026-02012
2026-01003
2025-12003
2025-11003
2025-10003
2025-09033
2025-08006
2025-07006
2025-06006
2025-05006
2025-04006

Detailed Vulnerability List

Total Open Vulnerabilities: 0

No open vulnerabilities.

Total Fixed Vulnerabilities (Last 12 Months): 6

CVE IdentifierSeverityPackage NameDescription
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2023-36308LOWgithub.com/disintegration/imagingdisintegration Imaging 1.6.2 allows attackers to cause a panic (becaus ...
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

Report generated on: March 29, 2026 at 03:20 UTC

UniHTML Vulnerability Report

Current Status

Total Open Vulnerabilities: 0

SeverityCount
CRITICAL0
HIGH0
MEDIUM0
LOW0
UNKNOWN0
Total0

12-Month Vulnerability Trend

xychart-beta
    title "New vs. Fixed Vulnerabilities (Last 12 Months)"
    x-axis "Month" ["2025-04", "2025-05", "2025-06", "2025-07", "2025-08", "2025-09", "2025-10", "2025-11", "2025-12", "2026-01", "2026-02", "2026-03"]
    y-axis "Count"
    bar "New" [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
    bar "Fixed" [0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 2]
MonthNewFixedTotal at Month End
2026-03020
2026-02002
2026-01002
2025-12002
2025-11002
2025-10002
2025-09042
2025-08006
2025-07006
2025-06006
2025-05006
2025-04006

Detailed Vulnerability List

Total Open Vulnerabilities: 0

No open vulnerabilities.

Total Fixed Vulnerabilities (Last 12 Months): 6

CVE IdentifierSeverityPackage NameDescription
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
GHSA-vrw8-fxc6-2r93MEDIUMgithub.com/go-chi/chi/v5chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes