Apryse: IDP Software Vendor

8 min read

On This Page

Developer-first document processing SDK platform formerly known as PDFTron, serving 20,000+ organizations including 85% of Fortune 100 companies with PDF generation, viewing, editing, annotation, redaction, and signing capabilities.

Overview

Apryse, formerly PDFTron, rebranded in February 2023 to reflect a product portfolio that had grown well beyond its original PDF SDK roots. Backed by Silversmith Capital Partners and Thoma Bravo, the company serves 20,000+ organizations including more than 85% of Fortune 100 companies across government, enterprise, and startup segments.

Rather than offering a standalone SaaS IDP platform, Apryse's primary model is embedding document capabilities into third-party applications via SDKs and pre-built components. The PDF Association lists its portfolio as Apryse SDK, WebViewer, iText, and Xodo - covering the full document lifecycle: generation, conversion, viewing, editing, annotation, redaction, and signing. End-user SaaS applications (Xodo) are a secondary offering.

The company has pursued an acquisition-led expansion strategy to build a vertically integrated document stack. In February 2024, it acquired LEAD Technologies, adding AI imaging capabilities. In July 2025, it acquired both Scanbot and Accusoft, extending the platform into mobile capture and additional processing formats. The Winter 2026 release added a Linux Scanbot SDK, pushing that capture stack into server-side Linux environments - a directional signal worth watching for enterprise infrastructure announcements.

Product Portfolio

Apryse SDK (formerly PDFTron SDK)

The core cross-platform SDK enabling developers to embed PDF generation, conversion, viewing, editing, annotation, redaction, and signing into their own applications. The Appian partner listing notes 25+ years of government deployments, support for all major platforms and a wide variety of file types, and no external dependencies required for server-side processing.

WebViewer

Browser-based document viewer and editor component. In November 2024, Apryse introduced a modular UI update adding enhanced accessibility and customization options. The Winter 2026 release added IME keyboard support for DOCX editing, extending Asian language input compatibility (Chinese, Japanese, Korean) directly within the browser-based editor. The component integrates with Salesforce and Appian - Carahsoft positions it specifically for government agencies managing high-volume document workflows within Salesforce, citing digital signature support and audit trail capabilities for regulatory compliance.

The February 2026 CVE disclosures apply specifically to WebViewer. Enterprises embedding WebViewer in authenticated applications should prioritize patch verification given the session-inheritance risk described above.

iText

PDF generation and manipulation library. As a PDF Association Partner Member, Apryse publishes iText updates through the PDF/A standards body. In January 2026, iText Suite 9.5 introduced support for Brotli compression and quantum-safe signatures, preparing for two upcoming additions to the PDF 2.0 specification. iText 8 launched in June 2023 as its first release under the Apryse umbrella. For Java developers, Apache PDFBox is the primary open-source alternative.

Xodo

End-user SaaS application for document collaboration, editing, and signing, targeting individuals and small business workflows.

AI Smart Data Extraction

In July 2025, Apryse published a deep dive on AI-powered smart data extraction, signaling active investment in LLM-augmented document processing capabilities within the SDK layer. In January 2025, the company introduced Template Extraction, described as separating template logic from document content at extraction time. These capabilities represent AI extraction added as a layer on top of the core SDK foundation - a different architecture from pure-play IDP vendors that built extraction-first.

Deployment and Integration

Apryse SDKs operate without third-party server-side dependencies, a design choice the company emphasizes for data security in regulated environments. The Appian plugin processes documents within the Appian environment to minimize external data exposure, supporting DOCX and PDF editing, collaboration, complex document generation, redaction, signing, and document manipulation. The Carahsoft listing confirms Salesforce integration with no server-side dependencies required.

Platform coverage spans web, mobile, desktop, and - as of Winter 2026 - Linux server environments via the new Scanbot SDK. The Linux addition is a small but directional signal: combined with the existing WebViewer browser SDK, it positions Apryse as a full-stack document processing layer across deployment environments.

Acquisitions Timeline

Date Acquisition Capability Added
February 2024 LEAD Technologies AI imaging SDK
July 2025 Scanbot Mobile document scanning and capture
July 2025 Accusoft Document processing and viewing technology

The LEAD Technologies acquisition added AI imaging capabilities; the dual Scanbot and Accusoft acquisitions extended the platform into mobile capture and additional processing formats. The Winter 2026 Linux Scanbot SDK extends that capture stack further into server environments - a pattern consistent with building a vertically integrated document stack rather than relying on third-party components.

Use Cases

Enterprise Application Development

Software vendors embed Apryse SDKs to add document capabilities without building PDF infrastructure from scratch. Bentley Systems' Senior Product Manager cited the cross-platform approach as accelerating product delivery; Drawboard's founder noted "superior speed and functionality out of the box" versus alternatives.

Government and Public Sector

Carahsoft distributes Apryse to U.S. government agencies, positioning WebViewer for Salesforce-based document management in contexts requiring digital signatures, audit trails, and high-volume processing. The Appian partner profile notes 25+ years of government deployments at all levels.

CAD and Engineering Workflows

AutoCAD's Global Head of Product Management described Apryse's integration speed as "superior to their competition" with a product roadmap that "invested in the right things" - indicating adoption in technical document workflows beyond standard office formats.

Competitive Position

Apryse competes most directly with Nutrient (formerly PSPDFKit), which also targets developers building document capabilities into applications. Both offer cross-platform SDKs for PDF viewing, annotation, and editing. Adobe overlaps at the enterprise end through Acrobat SDK and PDF Services API. For the iText library specifically, Apache PDFBox represents the primary open-source alternative in the Java ecosystem.

Unlike pure-play IDP vendors such as ABBYY or Hyperscience - which focus on automated data extraction from inbound documents - Apryse's core value proposition is enabling document interaction and processing within developer-built applications, with AI extraction capabilities added more recently as a layer on top of that foundation. The February 2026 CVE disclosures affected both Apryse and Foxit simultaneously, limiting their value as a competitive differentiator in either direction; the more relevant signal is how each vendor's security response process compares.

Technical Specifications

Feature Specification
Primary Delivery SDKs, pre-built components, end-user SaaS
Core Operations Generate, convert, view, edit, annotate, redact, sign
Server Dependencies None required (self-contained processing)
Platform Support Web, mobile, desktop, Linux (Scanbot SDK, Winter 2026)
File Type Support PDF, DOCX, and wide variety of additional formats
Integrations Salesforce, Appian, and others
Standards PDF/A, PDF 2.0 (via iText); quantum-safe signatures (iText 9.5)
Investors Silversmith Capital Partners, Thoma Bravo
Customer Base 20,000+ organizations; 85%+ of Fortune 100

Security: Three CVEs Patched in WebViewer

The most significant Apryse development in early 2026 is a security disclosure, not a product launch. On February 18, 2026, penetration testing startup Novee Security published research revealing 16 zero-day vulnerabilities across Apryse WebViewer and Foxit PDF cloud services. Three CVEs were assigned specifically to Apryse:

  • CVE-2025-70402 (Critical) - DOM XSS via malicious uiConfig JSON that injects SVG foreignObject payloads, bypassing DOMParser and executing via dangerouslySetInnerHTML in Icon.js. Enables full account takeover.
  • CVE-2025-70401 (High) - Stored DOM XSS in annotation author fields. A script embedded in a PDF comment's "Author" field executes and steals login credentials the moment a victim types a single character in the notes panel. Triggers on every re-render, persisting across sessions.
  • CVE-2025-70400 (High) - SSRF via iFrame rendering forces servers to fetch internal resources, enabling internal network reconnaissance.

All three are one-click attack vectors - no browser or OS compromise required. Because WebViewer is an embeddable SDK that sits inside authenticated enterprise applications, XSS payloads can inherit the host application's session context, broadening the blast radius to any downstream application using the SDK. Some vulnerabilities were exploitable with a single HTTP request via specially crafted documents, URLs, or messages.

Remediation: Apryse received advance notice and patched all reported issues before public disclosure. Stan Kornacki, VP of IT and CISO, confirmed the response:

"The issues referenced in Novee's upcoming research were responsibly reported and have been addressed through product updates, documentation improvements, and strengthened default configurations. We expect these types of issues to be infrequent, but when they appear, we address them promptly and thoroughly, keeping all parties informed throughout the process."

The coordinated disclosure completed without known exploitation, and Kornacki's statement addresses data impact assessment and release quality standards - not just the patch itself. That framing matters for enterprise buyers assessing vendor security maturity rather than just vulnerability count.

Source gap: No specific patched version number or remediation date appears in any of the four security articles. Buyers verifying patch status against deployed versions should consult the Novee Security primary research post directly. Recommended enterprise actions: update WebViewer to the patched version, enforce Content-Security-Policy on all embeds, validate postMessage origins strictly, and audit annotation author fields for stored payload traces.

The embedded SDK risk model. Enterprise security teams that treat embedded document SDKs as low-risk components are the implicit target of Novee's framing. When an XSS payload executes inside an authenticated host application, it inherits that application's session context - and the Apryse CVEs are the proof-of-concept. Any IDP buyer embedding WebViewer in a document workflow should treat patch verification as urgent, not routine.

AI-assisted offensive research changes the threat landscape. Novee's discovery method used a hybrid human-agent approach: researchers manually identified vulnerability patterns, then trained a multi-agent LLM system to scan obfuscated code autonomously at scale, producing 13 distinct vulnerability categories across both vendors in a single research cycle. IDP vendors with large, complex SDK surfaces should expect this class of automated discovery to become routine.

Resources

Company Information

USA - Headquartered in the United States. PDF Association Partner Member since February 2023. Backed by Silversmith Capital Partners and Thoma Bravo. Founded 1999 as PDFTron; rebranded as Apryse in February 2023.