Description
In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.
Published: 2026-06-17
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The from_string method in JazzCore python-pdfkit 1.0.0 lets an attacker inject and run JavaScript code within the server process, enabling arbitrary code execution and the exfiltration of local files. This is a critical control‑flow vulnerability classified as CWE-120. If the method is exposed to user input, the attacker can gain full execution privileges on the hosting machine and read sensitive files or perform further attacks.

Affected Systems

Affected is the Python-pdfkit library (version 1.0.0) from the vendor JazzCore. Systems that rely on this library in a production environment and do not isolate or sanitize the from_string input are vulnerable.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. The EPSS score of less than 1% signals a low current likelihood of exploitation, but the vulnerability remains serious because it allows remote code execution when the method is reachable. It is not listed in the CISA KEV catalog, however administrators should not assume it is safe. The attack vector is likely via an application that calls from_string with untrusted data, enabling the injection of malicious JavaScript.

Generated by OpenCVE AI on June 18, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update python-pdfkit to the latest release that fixes the from_string JavaScript execution flaw.
  • If upgrading is not possible, restrict the use of from_string to trusted inputs only and sanitize or remove embedded JavaScript before rendering.
  • Run pdfkit in a sandboxed environment or disable JavaScript support in the PDF processing configuration.

Generated by OpenCVE AI on June 18, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9g3x-6x24-vf9f pdfkit: Path traversal in from_string
History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Jazzcore
Jazzcore python-pdfkit
Vendors & Products Jazzcore
Jazzcore python-pdfkit

Thu, 18 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Title Python-pdfkit from_string Method Allows Server-Side JavaScript Execution and Local File Exfiltration

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Subscriptions

Jazzcore Python-pdfkit
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-17T17:27:07.439Z

Reserved: 2025-02-07T00:00:00.000Z

Link: CVE-2025-26240

cve-icon Vulnrichment

Updated: 2026-06-17T17:27:02.773Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:36Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')