Impact
The from_string method in JazzCore python-pdfkit 1.0.0 lets an attacker inject and run JavaScript code within the server process, enabling arbitrary code execution and the exfiltration of local files. This is a critical control‑flow vulnerability classified as CWE-120. If the method is exposed to user input, the attacker can gain full execution privileges on the hosting machine and read sensitive files or perform further attacks.
Affected Systems
Affected is the Python-pdfkit library (version 1.0.0) from the vendor JazzCore. Systems that rely on this library in a production environment and do not isolate or sanitize the from_string input are vulnerable.
Risk and Exploitability
The CVSS score of 8.4 indicates high severity. The EPSS score of less than 1% signals a low current likelihood of exploitation, but the vulnerability remains serious because it allows remote code execution when the method is reachable. It is not listed in the CISA KEV catalog, however administrators should not assume it is safe. The attack vector is likely via an application that calls from_string with untrusted data, enabling the injection of malicious JavaScript.
OpenCVE Enrichment
Github GHSA