Pdfmake · Pdfmake · CVE-2026-26801
**Name of the Vulnerable Software and Affected Versions**
pdfmake versions 0.3.0-beta.2 through 0.3.5
**Description**
A Server-Side Request Forgery (SSRF) issue exists in the `src/URLResolver.js` component of pdfmake. This allows a remote attacker to potentially obtain sensitive information. The issue was addressed with the release of version 0.3.6, which introduces the `setUrlAccessPolicy()` method. This method allows server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.
**Recommendations**
Update to pdfmake version 0.3.6 or later.
Configure URL access rules using the `setUrlAccessPolicy()` method.