{"id":"PYSEC-2026-522","summary":"ReportLab vulnerable to remote code execution via paraparser","details":"paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '\u003cunichar code=\"' followed by arbitrary Python code, a similar issue to CVE-2019-17626.","aliases":["CVE-2019-19450","GHSA-pj98-2xf6-cff5"],"modified":"2026-07-01T20:23:04.001605Z","published":"2026-06-29T11:50:43.995090Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19450"},{"type":"WEB","url":"https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md"},{"type":"WEB","url":"https://github.com/MrBitBucket/reportlab-mirror/blob/master/CHANGES.md#release-353115102019"},{"type":"PACKAGE","url":"https://hg.reportlab.com/hg-public/reportlab"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00037.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHMCB2GJQKFMGVO5RWHN222NQL5XYPHZ"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HADPTB3SBU7IVRMDK7OL6WSQRU5AFWDZ"},{"type":"WEB","url":"https://pastebin.com/5MicRrr4"},{"type":"PACKAGE","url":"https://pypi.org/project/reportlab"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-pj98-2xf6-cff5"}],"affected":[{"package":{"name":"reportlab","ecosystem":"PyPI","purl":"pkg:pypi/reportlab"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.5.31"}]}],"versions":["2.0","2.3","2.4","2.5","2.6","2.7","3.0","3.1.44","3.1.8","3.2.0","3.3.0","3.4.0","3.5.0","3.5.1","3.5.10","3.5.11","3.5.12","3.5.13","3.5.16","3.5.17","3.5.18","3.5.19","3.5.2","3.5.20","3.5.21","3.5.23","3.5.26","3.5.28","3.5.4","3.5.5","3.5.6","3.5.8","3.5.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/reportlab/PYSEC-2026-522.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}