cbcvebase.
CVE-2025-26240
published 2026-06-17

CVE-2025-26240: In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the…

PriorityP345high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
EPSS
0.39%
31.0th percentile
In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.

Affected

1 ranges
VendorProductVersion rangeFixed in
pdfkit_projectpdfkit0 – 1.0.0

CVSS provenance

nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvelistv5v3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.