Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Report generated on: February 07, 2026 at 03:20 UTC

Introduction

Our Commitment to Security

Welcome to the UniDoc Security Hub. At UniDoc, the security of our products is a top priority. We are committed to being transparent with our customers about the security of our UniPDF, UniOffice, and UniHTML libraries. This hub is a key part of that commitment, demonstrating our proactive approach to identifying and addressing security vulnerabilities.

DevSecOps Lifecycle

graph TD
    A[Developer Commits Code] --> B(CI Pipeline Starts);
    subgraph B [Continuous Integration]
        C(Build & Unit Test) --> D{Security Scans};
        subgraph D
            E[SAST Analysis];
            F[Go Package Scan];
            G[Supply Chain Scan];
        end
    end
    D --> H{Vulnerability Found?};
    H -- Yes --> I[Triage & Prioritize];
    I --> J(Remediate Vulnerability);
    J --> A;
    H -- No --> K(Release Secure Product);

Vulnerability Management

graph TD
    A[Discover] --> B(Prioritize);
    B --> C{Remediate};
    C --> D[Verify];
    D --> A;

Report generated on: February 07, 2026 at 03:20 UTC

All Products Vulnerability Report

Covered Products

Product NameRepository
UniPDFgithub.com/unidoc/unipdf
UniOfficegithub.com/unidoc/unioffice
UniHTMLgithub.com/unidoc/unihtml

Key Findings for This Reporting Period

  • Total Open Vulnerabilities: Across all products, we are currently tracking 12 open vulnerabilities.
  • Progress: Over the last 12 months, we have fixed 10 vulnerabilities, including 0 critical ones.

12-Month Combined Vulnerability Trend

xychart-beta
    title "New vs. Fixed Vulnerabilities (Last 12 Months)"
    x-axis "Month" ["2025-03", "2025-04", "2025-05", "2025-06", "2025-07", "2025-08", "2025-09", "2025-10", "2025-11", "2025-12", "2026-01", "2026-02"]
    y-axis "Count"
    bar "New" [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
    bar "Fixed" [0, 0, 0, 0, 0, 3, 7, 0, 0, 0, 0, 0]
MonthNewFixedTotal at Month End
2026-020012
2026-010012
2025-120012
2025-110012
2025-100012
2025-090712
2025-080319
2025-070022
2025-060022
2025-050022
2025-040022
2025-030022

Detailed Vulnerability List

Total Open Vulnerabilities: 12

CVE IdentifierSeverityPackage NameDescription
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2023-36308LOWgithub.com/disintegration/imagingdisintegration Imaging 1.6.2 allows attackers to cause a panic (becaus ...
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2023-36308LOWgithub.com/disintegration/imagingdisintegration Imaging 1.6.2 allows attackers to cause a panic (becaus ...
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication

Total Fixed Vulnerabilities (Last 12 Months): 10

CVE IdentifierSeverityPackage NameDescription
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
GHSA-vrw8-fxc6-2r93MEDIUMgithub.com/go-chi/chi/v5chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes

Report generated on: February 07, 2026 at 03:20 UTC

UniPDF Vulnerability Report

Current Status

Total Open Vulnerabilities: 2

SeverityCount
CRITICAL0
HIGH0
MEDIUM2
LOW0
UNKNOWN0
Total2

12-Month Vulnerability Trend

xychart-beta
    title "New vs. Fixed Vulnerabilities (Last 12 Months)"
    x-axis "Month" ["2025-03", "2025-04", "2025-05", "2025-06", "2025-07", "2025-08", "2025-09", "2025-10", "2025-11", "2025-12", "2026-01", "2026-02"]
    y-axis "Count"
    bar "New" [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
    bar "Fixed" [0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0]
MonthNewFixedTotal at Month End
2026-02002
2026-01002
2025-12002
2025-11002
2025-10002
2025-09002
2025-08032
2025-07005
2025-06005
2025-05005
2025-04005
2025-03005

Detailed Vulnerability List

Total Open Vulnerabilities: 2

CVE IdentifierSeverityPackage NameDescription
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication

Total Fixed Vulnerabilities (Last 12 Months): 3

CVE IdentifierSeverityPackage NameDescription
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

Report generated on: February 07, 2026 at 03:20 UTC

UniOffice Vulnerability Report

Current Status

Total Open Vulnerabilities: 6

SeverityCount
CRITICAL0
HIGH0
MEDIUM4
LOW2
UNKNOWN0
Total6

12-Month Vulnerability Trend

xychart-beta
    title "New vs. Fixed Vulnerabilities (Last 12 Months)"
    x-axis "Month" ["2025-03", "2025-04", "2025-05", "2025-06", "2025-07", "2025-08", "2025-09", "2025-10", "2025-11", "2025-12", "2026-01", "2026-02"]
    y-axis "Count"
    bar "New" [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
    bar "Fixed" [0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0]
MonthNewFixedTotal at Month End
2026-02006
2026-01006
2025-12006
2025-11006
2025-10006
2025-09036
2025-08009
2025-07009
2025-06009
2025-05009
2025-04009
2025-03009

Detailed Vulnerability List

Total Open Vulnerabilities: 6

CVE IdentifierSeverityPackage NameDescription
CVE-2023-36308LOWgithub.com/disintegration/imagingdisintegration Imaging 1.6.2 allows attackers to cause a panic (becaus ...
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2023-36308LOWgithub.com/disintegration/imagingdisintegration Imaging 1.6.2 allows attackers to cause a panic (becaus ...
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication

Total Fixed Vulnerabilities (Last 12 Months): 3

CVE IdentifierSeverityPackage NameDescription
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net

Report generated on: February 07, 2026 at 03:20 UTC

UniHTML Vulnerability Report

Current Status

Total Open Vulnerabilities: 4

SeverityCount
CRITICAL0
HIGH0
MEDIUM4
LOW0
UNKNOWN0
Total4

12-Month Vulnerability Trend

xychart-beta
    title "New vs. Fixed Vulnerabilities (Last 12 Months)"
    x-axis "Month" ["2025-03", "2025-04", "2025-05", "2025-06", "2025-07", "2025-08", "2025-09", "2025-10", "2025-11", "2025-12", "2026-01", "2026-02"]
    y-axis "Count"
    bar "New" [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
    bar "Fixed" [0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0]
MonthNewFixedTotal at Month End
2026-02004
2026-01004
2025-12004
2025-11004
2025-10004
2025-09044
2025-08008
2025-07008
2025-06008
2025-05008
2025-04008
2025-03008

Detailed Vulnerability List

Total Open Vulnerabilities: 4

CVE IdentifierSeverityPackage NameDescription
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication
CVE-2025-47914MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh/agent: SSH Agent servers: Denial of Service due to malformed messages
CVE-2025-58181MEDIUMgolang.org/x/cryptogolang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via unbounded memory consumption in GSSAPI authentication

Total Fixed Vulnerabilities (Last 12 Months): 4

CVE IdentifierSeverityPackage NameDescription
CVE-2025-22869HIGHgolang.org/x/cryptogolang.org/x/crypto/ssh: Denial of Service in the Key Exchange of golang.org/x/crypto/ssh
CVE-2025-22870MEDIUMgolang.org/x/netgolang.org/x/net/proxy: golang.org/x/net/http/httpproxy: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
CVE-2025-22872MEDIUMgolang.org/x/netgolang.org/x/net/html: Incorrect Neutralization of Input During Web Page Generation in x/net in golang.org/x/net
GHSA-vrw8-fxc6-2r93MEDIUMgithub.com/go-chi/chi/v5chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes