{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26801", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-17T16:36:36.743Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-10T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-17T16:36:36.743Z"}, "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/bpampuch/pdfmake"}, {"url": "https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js"}, {"url": "https://github.com/bpampuch/pdfmake/releases/tag/0.3.6"}, {"url": "https://github.com/bpampuch/pdfmake/pull/2920"}, {"url": "https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T18:51:52.149011Z", "id": "CVE-2026-26801", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:52:24.622Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26801", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T18:51:52.149011Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T18:51:06.465Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/bpampuch/pdfmake"}, {"url": "https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js"}, {"url": "https://github.com/bpampuch/pdfmake/releases/tag/0.3.6"}, {"url": "https://github.com/bpampuch/pdfmake/pull/2920"}, {"url": "https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf"}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-17T16:36:36.743Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26801", "state": "PUBLISHED", "dateUpdated": "2026-03-17T16:36:36.743Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-10T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pdfmake:pdfmake:*:*:*:*:*:*:*:*", "matchCriteriaId": "E25A90CB-0990-4A86-A2A0-DED5B772A4F3", "versionEndIncluding": "0.3.5", "versionStartIncluding": "0.3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "B3D78BE8-BDF1-4F3D-A58B-6F72D92323E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta10:*:*:*:*:*:*", "matchCriteriaId": "6E9F434F-B222-4B9E-894F-EF27349FD85A", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta11:*:*:*:*:*:*", "matchCriteriaId": "302CBC0D-4021-43C9-9214-258EFAEBADA0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta12:*:*:*:*:*:*", "matchCriteriaId": "813FC92B-1352-46B2-98E5-177F2774A2FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta13:*:*:*:*:*:*", "matchCriteriaId": "6998E01F-28D0-4110-9B73-051917FC1786", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta14:*:*:*:*:*:*", "matchCriteriaId": "3AE1D6C1-6D1F-40E2-A56B-D8975F41CF58", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta15:*:*:*:*:*:*", "matchCriteriaId": "A208BAFD-8F2C-4A30-87BC-9B9A4051113F", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta16:*:*:*:*:*:*", "matchCriteriaId": "3D03BA7A-C32D-4FBA-8A45-3BB1EDFAA456", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta17:*:*:*:*:*:*", "matchCriteriaId": "A23B1591-3E81-4340-9136-CC650FA68234", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta18:*:*:*:*:*:*", "matchCriteriaId": "D2DDEA62-21A3-408C-ABA5-E129F50F68CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta19:*:*:*:*:*:*", "matchCriteriaId": "7BAA4EC5-4994-4B5F-AE0A-0C1ABEF00861", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "438BF14C-6B93-4D8C-BF7E-C7BA40E04595", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "99C6EF3B-B002-4EB4-96DB-DFFFFED5570F", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "60BC0F53-38A5-4BFD-95AC-47B7635BA52E", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "5F25A975-45B3-4D96-A3DA-EF388D7C0C78", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "50BDBDEA-E9AA-4D3D-B0C1-35552D2A6FE0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "8C08D75E-8340-4522-88C5-3871B461EA63", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "FC47E00A-8A0D-4D66-BA63-9D9400584815", "vulnerable": true}, {"criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta9:*:*:*:*:*:*", "matchCriteriaId": "76F34238-5ADD-4491-A01F-ECD62ECF10DB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured."}, {"lang": "es", "value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en las versiones de pdfmake 0.3.0-beta.2 hasta 0.3.5 permite a un atacante remoto obtener informaci\u00f3n sensible a trav\u00e9s del componente src/URLResolver.js. La correcci\u00f3n fue lanzada en la versi\u00f3n 0.3.6, que introduce el m\u00e9todo setUrlAccessPolicy() permitiendo a los operadores del servidor definir reglas de acceso a URL. Ahora se registra una advertencia cuando pdfmake se utiliza del lado del servidor sin una pol\u00edtica configurada."}], "id": "CVE-2026-26801", "lastModified": "2026-05-07T20:32:39.693", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-10T19:17:17.430", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/bpampuch/pdfmake"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/bpampuch/pdfmake/pull/2920"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/bpampuch/pdfmake/releases/tag/0.3.6"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.3.0-beta.2,0.3.5]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "pdfmake", "vendor": "bpampuch"}], "analysis": {"en": {"generated_at": "2026-04-16T03:57:00.378412+00:00", "value": {"mitigation_remediation": ["Upgrade pdfmake to version\u00a00.3.6 or later.", "If upgrading is not immediately possible, configure a URL access policy by invoking setUrlAccessPolicy to restrict permitted domains.", "Monitor application logs for the warning emitted when no policy is configured and add a policy if any usage is detected.", "Avoid using pdfmake in server\u2011side contexts that accept untrusted input, or isolate that code with network restrictions."], "summary": {"action": "Patch Now", "impact": "Server\u2011Side Request Forgery enables remote attackers to retrieve sensitive data"}, "threat_synthesis": {"affected_systems": "Affected versions are pdfmake\u00a00.3.0\u2011beta.2 through 0.3.5. Any deployment that imports pdfmake in server\u2011side code without a URL access policy is at risk. The patch was released in 0.3.6 and introduces setUrlAccessPolicy and a runtime warning when no policy is defined.", "description_and_impact": "The vulnerability is a Server\u2011Side Request Forgery in the pdfmake library's URLResolver.js component. A remote attacker can provoke the server to resolve arbitrary URLs, which may leak internal data or external resources. The flaw is identified as CWE\u2011918 and allows attackers to read sensitive information from the server environment.", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity. The EPSS score is less than 1%, suggesting low current exploitation likelihood, and the vulnerability is not listed in the KEV catalog. However, because SSRF can be leveraged to access internal resources, the risk remains significant for applications exposed to untrusted inputs. The attack vector likely involves supplying a malicious URL parameter to pdfmake during document generation."}}}}, "created": "2026-03-11T11:50:43.754383+00:00", "title": "SSRF Vulnerability in pdfmake Source Resolver Allows Remote Information Disclosure", "updated": "2026-04-16T04:00:09.459556+00:00", "vendors": ["bpampuch", "bpampuch$PRODUCT$pdfmake"]}