CVE-2026-26801
HIGH
GHSA-wp52-r2fp-4vmr
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Tags
Description
Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.
Analysis
pdfmake versions 0.3.0-beta.2 through 0.3.5 contain a server-side request forgery vulnerability in the URLResolver component that allows unauthenticated remote attackers to access sensitive information through crafted URL requests. Affected applications using vulnerable versions without proper URL access controls are at risk of information disclosure. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all applications and services using pdfmake and document their version numbers and deployment scope. Within 7 days: Implement network segmentation to restrict outbound connections from PDF generation services and deploy WAF rules to block suspicious URL patterns in PDF requests. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today