CVE-2026-26801
Analyzed Analyzed - Analysis Complete
Server-Side Request Forgery in pdfmake src/URLResolver.js

Publication date: 2026-03-10

Last updated on: 2026-05-07

Assigner: MITRE

Description
Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26801
EUVD
EUVD-2026-10756
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake From 0.3.1 (inc) to 0.3.5 (inc)
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) issue found in pdfmake versions 0.3.0-beta.2 through 0.3.5. It allows a remote attacker to obtain sensitive information by exploiting the src/URLResolver.js component. The vulnerability is addressed in version 0.3.6, which introduces the setUrlAccessPolicy() method to let server operators define URL access rules and logs a warning if pdfmake is used server-side without a configured policy.

Impact Analysis

The impact of this vulnerability is that a remote attacker can obtain sensitive information from the server by exploiting the SSRF flaw. According to the CVSS score of 7.5, the vulnerability is of high severity and can lead to confidentiality breaches without requiring user interaction or privileges.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5, you should upgrade pdfmake to version 0.3.6 or later.

Version 0.3.6 introduces the setUrlAccessPolicy() method, which allows server operators to define URL access rules to prevent unauthorized requests.

Additionally, ensure that a URL access policy is configured when using pdfmake server-side to avoid warnings and reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26801. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart