Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
pdfmake: Hackers can access sensitive server data through fake requests
CVE-2026-26801
GHSA-wp52-r2fp-4vmr
Summary
Using pdfmake, a malicious attacker can trick the server into revealing sensitive information. This is a concern for servers that use pdfmake to generate documents. To protect against this, update to pdfmake version 0.3.6 or configure a URL access policy in your server settings.
What to do
- Update pdfmake to version 0.3.6.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | pdfmake | > 0.3.0-beta.2 , <= 0.3.6 | 0.3.6 |
Original title
pdfmake is vulnerable to server-side request forgery (SSRF)
Original description
Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.
nvd CVSS3.1
7.5
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
- https://github.com/bpampuch/pdfmake
- https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js
- https://github.com/bpampuch/pdfmake/pull/2920
- https://github.com/bpampuch/pdfmake/releases/tag/0.3.6
- https://nvd.nist.gov/vuln/detail/CVE-2026-26801
- https://github.com/advisories/GHSA-wp52-r2fp-4vmr
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026