Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by pyhtml2pdf
CVE-2024-1647 (GCVE-0-2024-1647)
Vulnerability from cvelistv5 – Published: 2024-02-19 23:59 – Updated: 2025-12-03 20:21
VLAI?
Title
pyhtml2pdf 0.0.6 - Local File Read via Server Side XSS
Summary
Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain
arbitrary local files. This is possible because the application does not
validate the HTML content entered by the user.
Severity ?
7.5 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pyhtml2pdf | pyhtml2pdf |
Affected:
0.0.6
|
Date Public ?
2024-02-19 23:58
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.662Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://pypi.org/project/pyhtml2pdf/"
},
{
"tags": [
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/oliver/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pyhtml2pdf_project:pyhtml2pdf:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pyhtml2pdf",
"vendor": "pyhtml2pdf_project",
"versions": [
{
"status": "affected",
"version": "00.0.6"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1647",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T20:47:01.112779Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T19:34:38.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pypi.python.org",
"defaultStatus": "unaffected",
"packageName": "pyhtml2pdf",
"product": "pyhtml2pdf",
"vendor": "pyhtml2pdf",
"versions": [
{
"status": "affected",
"version": "0.0.6"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pyhtml2pdf:pyhtml2pdf:0.0.6:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"datePublic": "2024-02-19T23:58:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003ePyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\u003c/div\u003e\u003cdiv\u003earbitrary local files. This is possible because the application does not\u003c/div\u003e\u003cdiv\u003evalidate the HTML content entered by the user.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain\n\narbitrary local files. This is possible because the application does not\n\nvalidate the HTML content entered by the user."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T20:21:55.600Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"url": "https://pypi.org/project/pyhtml2pdf/"
},
{
"url": "https://fluidattacks.com/advisories/oliver/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "pyhtml2pdf 0.0.6 - Local File Read via Server Side XSS",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2024-1647",
"datePublished": "2024-02-19T23:59:17.082Z",
"dateReserved": "2024-02-19T21:52:22.394Z",
"dateUpdated": "2025-12-03T20:21:55.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}