{"id":"PYSEC-2024-301","details":"Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\n\narbitrary local files. This is possible because the application does not\n\nvalidate the HTML content entered by the user.","aliases":["CVE-2024-1647","GHSA-p3rv-qj56-2fqx"],"modified":"2026-06-10T17:02:31.049197896Z","published":"2024-02-20T01:15:07.717Z","references":[{"type":"PACKAGE","url":"https://pypi.org/project/pyhtml2pdf/"},{"type":"EVIDENCE","url":"https://fluidattacks.com/advisories/oliver/"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-p3rv-qj56-2fqx"}],"affected":[{"package":{"name":"pyhtml2pdf","ecosystem":"PyPI","purl":"pkg:pypi/pyhtml2pdf"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"0.0.6"}]}],"versions":["0.0.1","0.0.2","0.0.3","0.0.4","0.0.5","0.0.6"],"ecosystem_specific":{},"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pyhtml2pdf/PYSEC-2024-301.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}