CVE Catalog

CVE-2025-26240

HighCVSS 8.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

31th percentile — higher than 31% of all known CVEs

Summary

In version 1.0.0 of the python-pdfkit library by JazzCore, the from_string method allows the execution of JavaScript code within the context of the server application and the exfiltration of local files.

Risk Assessment

Exploitation of this vulnerability may lead to unauthorized access to local data and potential takeover of the server application.

Recommendation

It is recommended to update the python-pdfkit library to the latest version and restrict access to methods that can execute JavaScript code.

Original NVD description (English source)

In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS