wid-sec-w-2026-0862 · Published 2026-03-25 · View on BSI CERT-Bund ↗

RealObjects PDFreactor: Multiple Vulnerabilities

CVSS 9.8 CRITICAL

Risk Summary

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsing may divulge implementation details.

CVEs (8)

CVE-2025-11143 CVE-2025-41242 CVE-2025-48913 CVE-2026-1605 CVE-2026-21925 CVE-2026-21932 CVE-2026-21933 CVE-2026-21945

Affected Vendors

RealObjects

Affected Products (2)

RealObjects · PDFreactor <12.5

RealObjects · PDFreactor 12.5

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more