← Back

CVE-2026-26801

nvd nist
Published: Mar 10, 2026Modified: May 7, 2026

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.

Affected (20)

Products: Pdfmake: Pdfmake
Pdfmake
1 product
Pdfmake
Configuration A
20 vulnerable
Vulnerable SoftwareAffected Versions
Pdfmake
Pdfmake
From 0.3.1 to 0.3.5
Pdfmake
Version 0.3.0
Pdfmake
Version 0.3.0 beta10
Pdfmake
Version 0.3.0 beta11
Pdfmake
Version 0.3.0 beta12
Pdfmake
Version 0.3.0 beta13
Pdfmake
Version 0.3.0 beta14
Pdfmake
Version 0.3.0 beta15
Pdfmake
Version 0.3.0 beta16
Pdfmake
Version 0.3.0 beta17
Pdfmake
Version 0.3.0 beta18
Pdfmake
Version 0.3.0 beta19
Pdfmake
Version 0.3.0 beta2
Pdfmake
Version 0.3.0 beta3
Pdfmake
Version 0.3.0 beta4
Pdfmake
Version 0.3.0 beta5
Pdfmake
Version 0.3.0 beta6
Pdfmake
Version 0.3.0 beta7
Pdfmake
Version 0.3.0 beta8
Pdfmake
Version 0.3.0 beta9

Related CWEs

CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (5)

Source: cve@mitre.org
Product
Source: cve@mitre.org
Product
Source: cve@mitre.org
Issue TrackingPatch
Source: cve@mitre.org
Release Notes
Source: cve@mitre.org
ExploitThird Party Advisory

Timeline

No history available yet.