{"id":"GHSA-wp52-r2fp-4vmr","summary":"pdfmake is vulnerable to server-side request forgery (SSRF)","details":"Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.","aliases":["CVE-2026-26801"],"modified":"2026-03-19T16:49:29.331008Z","published":"2026-03-10T21:32:15Z","database_specific":{"github_reviewed":true,"severity":"HIGH","github_reviewed_at":"2026-03-11T21:12:09Z","nvd_published_at":"2026-03-10T19:17:17Z","cwe_ids":["CWE-918"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26801"},{"type":"WEB","url":"https://github.com/bpampuch/pdfmake/pull/2920"},{"type":"PACKAGE","url":"https://github.com/bpampuch/pdfmake"},{"type":"WEB","url":"https://github.com/bpampuch/pdfmake/blob/master/src/URLResolver.js"},{"type":"WEB","url":"https://github.com/bpampuch/pdfmake/releases/tag/0.3.6"},{"type":"WEB","url":"https://mariopepe.github.io/cve-2026-26801-pdfmake-ssrf"}],"affected":[{"package":{"name":"pdfmake","ecosystem":"npm","purl":"pkg:npm/pdfmake"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.3.0-beta.2"},{"fixed":"0.3.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wp52-r2fp-4vmr/GHSA-wp52-r2fp-4vmr.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}