GHSA-wp52-r2fp-4vmr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wp52-r2fp-4vmr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wp52-r2fp-4vmr/GHSA-wp52-r2fp-4vmr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wp52-r2fp-4vmr
- Aliases
- Published
- 2026-03-10T21:32:15Z
- Modified
- 2026-03-19T16:49:29.331008Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- pdfmake is vulnerable to server-side request forgery (SSRF)
- Details
-
Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-11T21:12:09Z", "cwe_ids": [ "CWE-918" ], "severity": "HIGH", "nvd_published_at": "2026-03-10T19:17:17Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2026-26801
- https://github.com/bpampuch/pdfmake/pull/2920
- https://github.com/bpampuch/pdfmake
- https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js
- https://github.com/bpampuch/pdfmake/releases/tag/0.3.6
- https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf
Affected packages
npm / pdfmake
Package
- Name
- pdfmake
- View open source insights on deps.dev
- Purl
- pkg:npm/pdfmake