CVE-2025-26240
published 2026-06-17CVE-2025-26240: In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the…
PriorityP345high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
EPSS
0.39%
31.0th percentile
In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pdfkit_project | pdfkit | 0 – 1.0.0 | — |
CVSS provenance
nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvelistv5v3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
JazzCore Python-pdfkit 1.0.0 from_string privilege escalation
vuldb·2026-06-17
CVE-2025-26240 [CRITICAL] JazzCore Python-pdfkit 1.0.0 from_string privilege escalation
A vulnerability, which was classified as critical, has been found in JazzCore Python-pdfkit 1.0.0. Affected by this issue is the function from_string. The manipulation leads to privilege escalation.
This vulnerability is referenced as CVE-2025-26240. The attack needs to be initiated within the local network. No exploit is available.
GHSA
pdfkit: Path traversal in from_string
ghsa·2026-06-17
CVE-2025-26240 [HIGH] CWE-120 pdfkit: Path traversal in from_string
pdfkit: Path traversal in from_string
In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.
CVEList
CVE-2025-26240: In JazzCore python-pdfkit 1
cvelistv5·2026-06-17·CVSS 8.4
CVE-2025-26240 [HIGH] CVE-2025-26240: In JazzCore python-pdfkit 1
In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-17
Published