Apryse — Document SDK Platform, Formerly PDFTron

11 min read

On This Page

Developer-first document processing SDK platform formerly known as PDFTron, serving 20,000+ organizations including 85% of Fortune 100 companies with PDF generation, viewing, editing, annotation, redaction, and signing capabilities.

20,000+Organizations served
85%+Fortune 100 companies using Apryse
25Barcodes per second (Linux SDK)
3CVEs patched before public disclosure (Feb 2026)

Overview

Apryse, formerly PDFTron, rebranded in February 2023 to reflect a product portfolio that had grown well beyond its original PDF SDK roots. Backed by Silversmith Capital Partners and Thoma Bravo, the company serves 20,000+ organizations including more than 85% of Fortune 100 companies across government, enterprise, and startup segments.

Rather than offering a standalone SaaS intelligent document processing (IDP) platform, Apryse's primary model is embedding document capabilities into third-party applications via SDKs and pre-built components. The PDF Association lists its portfolio as Apryse SDK, WebViewer, iText, and Xodo, collectively covering the full document lifecycle: generation, conversion, viewing, editing, annotation, redaction, and signing. End-user SaaS applications (Xodo) are a secondary offering.

The company has pursued an acquisition-led expansion strategy to build a vertically integrated document stack. In February 2024, it acquired LEAD Technologies, adding AI imaging capabilities. In July 2025, it acquired both Scanbot and Accusoft, extending the platform into mobile capture and additional processing formats. The Winter 2026 release then pushed the Scanbot capture stack into Linux server environments for the first time, a directional signal for enterprise infrastructure deployments.

Product portfolio

Apryse SDK (formerly PDFTron SDK)

The core cross-platform SDK enabling developers to embed PDF generation, conversion, viewing, editing, annotation, redaction, and signing into their own applications. The Appian partner listing notes 25+ years of government deployments, support for all major platforms and a wide variety of file types, and no external dependencies required for server-side processing. For evaluators comparing options, this no-dependency architecture is the primary technical differentiator against cloud-dependent alternatives.

WebViewer

Browser-based document viewer and editor component. In November 2024, Apryse introduced a modular UI update adding enhanced accessibility and customization options. The Winter 2026 release added IME keyboard support for DOCX editing, extending Asian language input compatibility (Chinese, Japanese, Korean) directly within the browser-based editor. The component integrates with Salesforce and Appian. Carahsoft positions it specifically for government agencies managing high-volume document workflows within Salesforce, citing digital signature support and audit trail capabilities for regulatory compliance.

The February 2026 CVE disclosures apply specifically to WebViewer. Enterprises embedding WebViewer in authenticated applications should prioritize patch verification given the session-inheritance risk described in the security section below.

iText

PDF generation and manipulation library. As a PDF Association Partner Member, Apryse publishes iText updates through the PDF/A standards body. In January 2026, iText Suite 9.5 introduced support for Brotli compression and quantum-safe signatures, preparing for two upcoming additions to the PDF 2.0 specification. iText 8 launched in June 2023 as its first release under the Apryse umbrella. For Java developers, Apache PDFBox is the primary open-source alternative.

Xodo

End-user SaaS application for document collaboration, editing, and signing, targeting individuals and small business workflows.

AI smart data extraction

In July 2025, Apryse published a deep dive on AI-powered smart data extraction, signaling active investment in LLM-augmented document processing capabilities within the SDK layer. In January 2025, the company introduced Template Extraction, described as separating template logic from document content at extraction time. These capabilities represent AI extraction added as a layer on top of the core SDK foundation, a different architecture from pure-play IDP vendors that built extraction-first.

The Spring 2026 release, arriving April 15, 2026, adds intelligent character recognition (ICR): AI-based prediction of words from handwritten letter shapes, converting scanned handwriting to searchable text. Handwriting recognition has been a persistent gap in developer-focused PDF SDKs, which typically handle printed text well but fall short on mixed or handwritten forms. Adding ICR alongside a PDF Sanitization API and email-to-PDF conversion positions the platform for document intake workflows, not just viewing and annotation, bringing it closer to IDP-oriented competitors at the capture layer.

Deployment and integration

Apryse SDKs operate without third-party server-side dependencies, a design choice the company emphasizes for data security in regulated environments. The Appian plugin processes documents within the Appian environment to minimize external data exposure, supporting DOCX and PDF editing, collaboration, complex document generation, redaction, signing, and document manipulation. The Carahsoft listing confirms Salesforce integration with no server-side dependencies required.

Platform coverage spans web, mobile, desktop, and, as of Winter 2026, Linux server environments via the new Scanbot Linux SDK. The Linux addition is directionally significant: the SDK detects and extracts barcodes at up to 25 per second, includes a built-in Document Quality Analyzer that flags low-quality inputs, and operates entirely offline for data sovereignty requirements. The core API is written in C with wrappers for Java, Python, and Node.js, and supports GPU acceleration on NVIDIA Jetson devices. Compatible distributions include Debian, Ubuntu, and Raspberry Pi OS.

Combined with the existing WebViewer browser SDK, the Linux addition positions Apryse as a full-stack document processing layer across deployment environments, from browser to server to embedded device.

Acquisitions timeline

Date Acquisition Capability added
February 2024 LEAD Technologies AI imaging SDK
July 2025 Scanbot Mobile document scanning and capture
July 2025 Accusoft Document processing and viewing technology

The LEAD Technologies acquisition added AI imaging capabilities. The dual Scanbot and Accusoft acquisitions extended the platform into mobile capture and additional processing formats. The Winter 2026 Linux Scanbot SDK extends that capture stack further into server environments, consistent with building a vertically integrated document stack rather than relying on third-party components.

Use cases

Enterprise application development

Software vendors embed Apryse SDKs to add document capabilities without building PDF infrastructure from scratch. Bentley Systems' Senior Product Manager cited the cross-platform approach as accelerating product delivery. Drawboard's founder noted "superior speed and functionality out of the box" versus alternatives.

Government and public sector

Carahsoft distributes Apryse to U.S. government agencies, positioning WebViewer for Salesforce-based document management in contexts requiring digital signatures, audit trails, and high-volume processing. The Appian partner profile notes 25+ years of government deployments at all levels.

Industrial and embedded deployments

The Winter 2026 Linux Barcode Scanner SDK targets warehouse robots and autonomous drones for inventory and ERP integration, processing at 25 barcodes per second with GPU acceleration on NVIDIA Jetson hardware. The offline-only architecture directly addresses data sovereignty requirements in regulated verticals. This is a market segment where Anyline and Scanbot (pre-acquisition) have historically competed.

CAD and engineering workflows

AutoCAD's Global Head of Product Management described Apryse's integration speed as "superior to their competition" with a product roadmap that "invested in the right things," indicating adoption in technical document workflows beyond standard office formats.

Competitive position

Apryse competes most directly with Nutrient (formerly PSPDFKit), which also targets developers building document capabilities into applications. Both offer cross-platform SDKs for PDF viewing, annotation, and editing. Adobe overlaps at the enterprise end through Acrobat SDK and PDF Services API. For the iText library specifically, Apache PDFBox represents the primary open-source alternative in the Java ecosystem.

Unlike pure-play IDP vendors such as ABBYY or Hyperscience that focus on automated data extraction from inbound documents, Apryse's core value proposition is enabling document interaction and processing within developer-built applications, with AI extraction capabilities added more recently as a layer on top of that foundation.

The February 2026 CVE disclosures affected both Apryse and Foxit simultaneously, limiting their value as a competitive differentiator in either direction. The more relevant signal is how each vendor's security response process compares: Apryse patched all three flaws before public disclosure and its CISO issued a public statement confirming remediation scope.

Apryse strengths

Developer SDK model with no server-side dependencies. 25+ years of government deployments. Acquisition-led stack covering mobile capture, AI imaging, and Linux server environments. Coordinated security disclosure with pre-patch before public release.

Apryse gaps

AI extraction added as a layer on top of SDK foundation, not built extraction-first. ICR handwriting recognition arriving Spring 2026, later than some IDP-native competitors. No published pricing. Three high/critical CVEs in WebViewer disclosed February 2026.

Technical specifications

Feature Specification
Primary delivery SDKs, pre-built components, end-user SaaS
Core operations Generate, convert, view, edit, annotate, redact, sign
Server dependencies None required (self-contained processing)
Platform support Web, mobile, desktop, Linux (Scanbot SDK, Winter 2026)
Linux SDK performance 25 barcodes/second; GPU acceleration on NVIDIA Jetson
Linux SDK languages C core; Java, Python, Node.js wrappers
Linux distributions Debian, Ubuntu, Raspberry Pi OS
File type support PDF, DOCX, EML, MSG (Spring 2026), and additional formats
Integrations Salesforce, Appian, and others
Standards PDF/A, PDF 2.0 (via iText); quantum-safe signatures (iText 9.5)
Investors Silversmith Capital Partners, Thoma Bravo
Customer base 20,000+ organizations; 85%+ of Fortune 100

Spring 2026 release: what's new

The Spring 2026 release, arriving April 15, 2026, covers WebViewer, Server, and Scanbot SDKs. The additions that matter most for IDP evaluators are the ICR handwriting recognition engine, the PDF Sanitization API (which scrubs sensitive metadata including document revision history for secure sharing), and EML/MSG-to-PDF conversion preserving metadata and attachments. Together these three capabilities address document intake workflows that the platform previously handled only partially.

The release also adds side-by-side file comparison with simultaneous content editing, inline comment creation and management in the DOCX editor for collaborative review, spreadsheet chart viewing and editing within the workbook, and Jetpack Compose support for Android in the Scanbot SDK.

Security: three CVEs patched in WebViewer

The most significant Apryse development in early 2026 is a security disclosure, not a product launch. On February 18, 2026, penetration testing startup Novee Security published research revealing 16 zero-day vulnerabilities across Apryse WebViewer and Foxit PDF cloud services. Novee emerged from stealth in January 2026 with $51.5M in funding. Three CVEs were assigned specifically to Apryse:

  • CVE-2025-70402 (Critical): DOM XSS via malicious uiConfig JSON that injects SVG foreignObject payloads, bypassing DOMParser and executing via dangerouslySetInnerHTML in Icon.js. Novee used this for one-click account takeover in a live client proof-of-value engagement.
  • CVE-2025-70401 (High): Stored DOM XSS in annotation author fields. A script embedded in a PDF comment's "Author" field executes on every React component re-render that accesses the annotation, stealing credentials and persisting across sessions.
  • CVE-2025-70400 (High): SSRF via iFrame rendering forces servers to fetch internal resources, enabling internal network reconnaissance.

All three are one-click attack vectors requiring no browser or OS compromise. Because WebViewer is an embeddable SDK that sits inside authenticated enterprise applications, XSS payloads can inherit the host application's session context, broadening the blast radius to any downstream application using the SDK.

Novee's root cause analysis identified untrusted input from PDFs, URLs, and messages propagating across WebViewer's three trust boundary layers (a React-based UI iframe, a JavaScript/WebAssembly document engine, and a server-side SDK for HTML-to-PDF conversion) without consistent validation.

Remediation: Apryse received advance notice and patched all reported issues before public disclosure. Stan Kornacki, Vice President of IT and CISO at Apryse, stated in SecurityWeek on February 18, 2026:

The issues referenced in Novee's upcoming research were responsibly reported and have been addressed through product updates, documentation improvements, and strengthened default configurations. We expect these types of issues to be infrequent, but when they appear, we address them promptly and thoroughly, keeping all parties informed throughout the process.

Stan Kornacki, VP of IT and CISO, Apryse (SecurityWeek, February 18, 2026)

The coordinated disclosure completed without known exploitation. Kornacki's statement addresses documentation improvements and default configuration hardening alongside the patch itself, which matters for enterprise buyers assessing vendor security maturity rather than just patch velocity.

Source gap: No specific patched version number or remediation date appears in any of the four security articles. Buyers verifying patch status against deployed versions should consult the Novee Security primary research post directly. Recommended enterprise actions: update WebViewer to the patched version, enforce Content-Security-Policy on all embeds, validate postMessage origins strictly, and audit annotation author fields for stored payload traces.

AI-assisted offensive research changes the threat landscape. Novee's discovery method used a hybrid human-agent approach: researchers manually identified foundational vulnerability patterns, then trained a multi-agent LLM system to scan obfuscated code autonomously at scale. As Novee's researchers described in Hackread: "Once the agent internalized the 'scent' of these bugs, it autonomously explored the massive attack surface of both vendors. The result was the discovery of 13 distinct vulnerability categories, ranging from critical XSS to OS Command Injection." IDP vendors with large, complex SDK surfaces should expect this class of automated discovery to become routine. The Apryse CVEs are the proof-of-concept that embedded document SDKs are no longer low-risk components.

As SiliconANGLE reported on February 18, 2026, Novee's report concluded: "As document platforms grow more powerful, they also become more dangerous when trust assumptions fail. For attackers, PDFs are no longer just files. They are execution paths."

Enterprise buyers embedding WebViewer in authenticated applications should treat patch verification as urgent. The critical CVE (CVE-2025-70402) was used in an active client engagement before public disclosure. No specific patched version number has been published in available sources; consult Novee Security's primary research or Apryse directly to confirm your deployed version is remediated.

Resources

Company information

Headquartered in the USA. PDF Association Partner Member since February 2023. Backed by Silversmith Capital Partners and Thoma Bravo. Founded 1999 as PDFTron; rebranded as Apryse in February 2023.