CVE-2024-38526

Name of the Vulnerable Software and Affected Versions pdoc versions prior to 14.5.1

Description The issue arises from documentation generated with pdoc --math being linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code, leading to a supply chain attack. This allows for malicious code execution. Users who produce documentation with math mode are affected.

Recommendations For versions prior to 14.5.1, update to version 14.5.1 to resolve the issue. As a temporary workaround, consider avoiding the use of the --math option when generating documentation with pdoc until the update is applied.