CVE-2026-26801
Analyzed Analyzed - Analysis Complete

Server-Side Request Forgery in pdfmake src/URLResolver.js

Vulnerability report for CVE-2026-26801, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-10

Last updated on: 2026-05-07

Assigner: MITRE

Description

Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-10
Last Modified
2026-05-07
Generated
2026-07-06
AI Q&A
2026-03-10
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 20 associated CPEs
Vendor Product Version / Range
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake From 0.3.1 (inc) to 0.3.5 (inc)
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0
pdfmake pdfmake 0.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) issue found in pdfmake versions 0.3.0-beta.2 through 0.3.5. It allows a remote attacker to obtain sensitive information by exploiting the src/URLResolver.js component. The vulnerability is addressed in version 0.3.6, which introduces the setUrlAccessPolicy() method to let server operators define URL access rules and logs a warning if pdfmake is used server-side without a configured policy.

Impact Analysis

The impact of this vulnerability is that a remote attacker can obtain sensitive information from the server by exploiting the SSRF flaw. According to the CVSS score of 7.5, the vulnerability is of high severity and can lead to confidentiality breaches without requiring user interaction or privileges.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5, you should upgrade pdfmake to version 0.3.6 or later.

Version 0.3.6 introduces the setUrlAccessPolicy() method, which allows server operators to define URL access rules to prevent unauthorized requests.

Additionally, ensure that a URL access policy is configured when using pdfmake server-side to avoid warnings and reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26801. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart