CVE-2025-53626

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-53626

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53626.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-53626

Aliases

GHSA-54xv-94qv-2gfg

Published

2025-07-10T18:49:22.602Z

Modified

2026-04-10T05:32:40.607876Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

pdfme has Sandbox Escape and Prototype Pollution vulnerabilities in pdfme expression evaluation

Details

pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1.

Database specific

{
    "cwe_ids": [
        "CWE-1321",
        "CWE-79",
        "CWE-94"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53626.json"
}

References

Affected packages

Git / github.com/pdfme/pdfme

Affected ranges

Type: GIT
Repo: https://github.com/pdfme/pdfme
Events: Introduced

7985367560093929dd6f834e1421e23d2ccfe56f

Fixed

0dd54739acff2c249ed68c001a896bee38f0fd85

Affected versions

5.*

5.2.0

5.2.1

5.2.10

5.2.11

5.2.12

5.2.13

5.2.14

5.2.15

5.2.16

5.2.2

5.2.3

5.2.4

5.2.5

5.2.7

5.2.8

5.2.9

5.3.0

5.3.0-beta.0

5.3.1

5.3.10

5.3.11

5.3.12

5.3.13

5.3.14

5.3.15

5.3.16

5.3.17

5.3.18

5.3.19

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.3.7

5.3.8

5.3.9

5.4.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53626.json"