{"id":"GHSA-p3rv-qj56-2fqx","summary":"Cross-site Scripting in Pyhtml2pdf","details":"Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\n\narbitrary local files. This is possible because the application does not\n\nvalidate the HTML content entered by the user.","aliases":["CVE-2024-1647","PYSEC-2024-301"],"modified":"2026-06-08T19:15:13.909773128Z","published":"2024-02-20T03:30:57Z","database_specific":{"github_reviewed_at":"2024-02-21T00:15:55Z","severity":"HIGH","nvd_published_at":"2024-02-20T01:15:07Z","cwe_ids":["CWE-79"],"github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1647"},{"type":"WEB","url":"https://fluidattacks.com/advisories/oliver"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/pyhtml2pdf/PYSEC-2024-301.yaml"},{"type":"WEB","url":"https://pypi.org/project/pyhtml2pdf"}],"affected":[{"package":{"name":"pyhtml2pdf","ecosystem":"PyPI","purl":"pkg:pypi/pyhtml2pdf"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"0.0.6"}]}],"versions":["0.0.1","0.0.2","0.0.3","0.0.4","0.0.5","0.0.6"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-p3rv-qj56-2fqx/GHSA-p3rv-qj56-2fqx.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}