CVE-2025-26240
HighCVSS 8.4Exploitation Probability (EPSS)
Low risk31th percentile — higher than 31% of all known CVEs
Summary
In version 1.0.0 of the python-pdfkit library by JazzCore, the from_string method allows the execution of JavaScript code within the context of the server application and the exfiltration of local files.
Risk Assessment
Exploitation of this vulnerability may lead to unauthorized access to local data and potential takeover of the server application.
Recommendation
It is recommended to update the python-pdfkit library to the latest version and restrict access to methods that can execute JavaScript code.
Original NVD description (English source)
In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.

