CVE-2026-26801

Name of the Vulnerable Software and Affected Versions pdfmake versions 0.3.0-beta.2 through 0.3.5

Description A Server-Side Request Forgery (SSRF) issue exists in the src/URLResolver.js component of pdfmake. This allows a remote attacker to potentially obtain sensitive information. The issue was addressed with the release of version 0.3.6, which introduces the setUrlAccessPolicy() method. This method allows server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.

Recommendations Update to pdfmake version 0.3.6 or later. Configure URL access rules using the setUrlAccessPolicy() method.