CVE-2026-26801

Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/bpampuch/pdfmake	Product
https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js	Product
https://github.com/bpampuch/pdfmake/pull/2920	Issue Tracking Patch
https://github.com/bpampuch/pdfmake/releases/tag/0.3.6	Release Notes
https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pdfmake:pdfmake::::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:-::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta10::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta11::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta12::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta13::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta14::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta15::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta16::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta17::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta18::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta19::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta2::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta3::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta4::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta5::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta6::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta7::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta8::::::
	cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta9::::::

History

07 May 2026, 20:32

Type	Values Removed	Values Added
References	~~() https://github.com/bpampuch/pdfmake -~~	() https://github.com/bpampuch/pdfmake - Product
References	~~() https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js -~~	() https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js - Product
References	~~() https://github.com/bpampuch/pdfmake/pull/2920 -~~	() https://github.com/bpampuch/pdfmake/pull/2920 - Issue Tracking, Patch
References	~~() https://github.com/bpampuch/pdfmake/releases/tag/0.3.6 -~~	() https://github.com/bpampuch/pdfmake/releases/tag/0.3.6 - Release Notes
References	~~() https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf -~~	() https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf - Exploit, Third Party Advisory
First Time		Pdfmake pdfmake Pdfmake
CPE		cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta11:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta19:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta7:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta17:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta12:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta14:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta10:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta3:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta16:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta6:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta8:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta2:::::: cpe:2.3:a:pdfmake:pdfmake:::::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta15:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta5:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta9:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta13:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta18:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:-:::::: cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta4::::::

17 Mar 2026, 17:16

Type	Values Removed	Values Added
References		() https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf -

11 Mar 2026, 13:53

Type	Values Removed	Values Added
Summary		(es) Vulnerabilidad de falsificación de petición del lado del servidor (SSRF) en las versiones de pdfmake 0.3.0-beta.2 hasta 0.3.5 permite a un atacante remoto obtener información sensible a través del componente src/URLResolver.js. La corrección fue lanzada en la versión 0.3.6, que introduce el método setUrlAccessPolicy() permitiendo a los operadores del servidor definir reglas de acceso a URL. Ahora se registra una advertencia cuando pdfmake se utiliza del lado del servidor sin una política configurada.

10 Mar 2026, 19:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 19:17

Updated : 2026-05-07 20:32

NVD link : CVE-2026-26801

Mitre link : CVE-2026-26801

CVE.ORG link : CVE-2026-26801

JSON object : View

Products Affected

pdfmake

pdfmake

CWE

CWE-918

Server-Side Request Forgery (SSRF)

7.5 /10