CVE-2026-26801
Received Received - Intake
Server-Side Request Forgery in pdfmake src/URLResolver.js

Publication date: 2026-03-10

Last updated on: 2026-03-17

Assigner: MITRE

Description
Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-17
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-26801
EUVD
EUVD-2026-10756
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
pdfmake pdfmake From 0.3.0-beta.2 (inc) to 0.3.5 (inc)
pdfmake pdfmake 0.3.6
bpampuch pdfmake 0.3.0-beta.2
bpampuch pdfmake 0.3.1
bpampuch pdfmake 0.3.2
bpampuch pdfmake 0.3.3
bpampuch pdfmake 0.3.4
bpampuch pdfmake 0.3.5
bpampuch pdfmake From 0.3.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Server-Side Request Forgery (SSRF) issue found in pdfmake versions 0.3.0-beta.2 through 0.3.5. It allows a remote attacker to obtain sensitive information by exploiting the src/URLResolver.js component. The vulnerability is addressed in version 0.3.6, which introduces the setUrlAccessPolicy() method to let server operators define URL access rules and logs a warning if pdfmake is used server-side without a configured policy.


How can this vulnerability impact me? :

The impact of this vulnerability is that a remote attacker can obtain sensitive information from the server by exploiting the SSRF flaw. According to the CVSS score of 7.5, the vulnerability is of high severity and can lead to confidentiality breaches without requiring user interaction or privileges.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5, you should upgrade pdfmake to version 0.3.6 or later.

Version 0.3.6 introduces the setUrlAccessPolicy() method, which allows server operators to define URL access rules to prevent unauthorized requests.

Additionally, ensure that a URL access policy is configured when using pdfmake server-side to avoid warnings and reduce risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart