Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for pyhtml2pdf by pyhtml2pdf
CVE-2024-1647 (GCVE-0-2024-1647)
Vulnerability from cvelistv5 – Published: 2024-02-19 23:59 – Updated: 2025-12-03 20:21
VLAI
Title
pyhtml2pdf 0.0.6 - Local File Read via Server Side XSS
Summary
Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain
arbitrary local files. This is possible because the application does not
validate the HTML content entered by the user.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| pyhtml2pdf | pyhtml2pdf |
Affected:
0.0.6
|
|
| pyhtml2pdf_project | pyhtml2pdf |
Affected:
00.0.6
cpe:2.3:a:pyhtml2pdf_project:pyhtml2pdf:*:*:*:*:*:*:*:* |
Date Public
2024-02-19 23:58
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://pypi.org/project/pyhtml2pdf/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/oliver/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pyhtml2pdf_project:pyhtml2pdf:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pyhtml2pdf",
"vendor": "pyhtml2pdf_project",
"versions": [
{
"status": "affected",
"version": "00.0.6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1647",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T20:47:01.112779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T19:34:38.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pyhtml2pdf",
"product": "pyhtml2pdf",
"vendor": "pyhtml2pdf",
"versions": [
{
"status": "affected",
"version": "0.0.6"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pyhtml2pdf:pyhtml2pdf:0.0.6:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2024-02-19T23:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\u003c/div\u003e\u003cdiv\u003earbitrary local files. This is possible because the application does not\u003c/div\u003e\u003cdiv\u003evalidate the HTML content entered by the user.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\n\narbitrary local files. This is possible because the application does not\n\nvalidate the HTML content entered by the user."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T20:21:55.600Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://pypi.org/project/pyhtml2pdf/"
},
{
"url": "https://fluidattacks.com/advisories/oliver/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "pyhtml2pdf 0.0.6 - Local File Read via Server Side XSS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2024-1647",
"datePublished": "2024-02-19T23:59:17.082Z",
"dateReserved": "2024-02-19T21:52:22.394Z",
"dateUpdated": "2025-12-03T20:21:55.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1647 (GCVE-0-2024-1647)
Vulnerability from nvd – Published: 2024-02-19 23:59 – Updated: 2025-12-03 20:21
VLAI
Title
pyhtml2pdf 0.0.6 - Local File Read via Server Side XSS
Summary
Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain
arbitrary local files. This is possible because the application does not
validate the HTML content entered by the user.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| pyhtml2pdf | pyhtml2pdf |
Affected:
0.0.6
|
|
| pyhtml2pdf_project | pyhtml2pdf |
Affected:
00.0.6
cpe:2.3:a:pyhtml2pdf_project:pyhtml2pdf:*:*:*:*:*:*:*:* |
Date Public
2024-02-19 23:58
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://pypi.org/project/pyhtml2pdf/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/oliver/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pyhtml2pdf_project:pyhtml2pdf:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pyhtml2pdf",
"vendor": "pyhtml2pdf_project",
"versions": [
{
"status": "affected",
"version": "00.0.6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1647",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T20:47:01.112779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T19:34:38.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pyhtml2pdf",
"product": "pyhtml2pdf",
"vendor": "pyhtml2pdf",
"versions": [
{
"status": "affected",
"version": "0.0.6"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pyhtml2pdf:pyhtml2pdf:0.0.6:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2024-02-19T23:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\u003c/div\u003e\u003cdiv\u003earbitrary local files. This is possible because the application does not\u003c/div\u003e\u003cdiv\u003evalidate the HTML content entered by the user.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\n\narbitrary local files. This is possible because the application does not\n\nvalidate the HTML content entered by the user."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T20:21:55.600Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://pypi.org/project/pyhtml2pdf/"
},
{
"url": "https://fluidattacks.com/advisories/oliver/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "pyhtml2pdf 0.0.6 - Local File Read via Server Side XSS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2024-1647",
"datePublished": "2024-02-19T23:59:17.082Z",
"dateReserved": "2024-02-19T21:52:22.394Z",
"dateUpdated": "2025-12-03T20:21:55.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}