CVE-2024-1647 — Cross-site Scripting in Pyhtml2pdf

Description

Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user.

How to fix CVE-2024-1647

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

PyPI/pyhtml2pdf—no fix listed
—no fix listed

Is CVE-2024-1647 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, <= 0.0.6
from 0, <= 0.0.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (7)

ADVISORYgithub.com/advisories/GHSA-p3rv-qj56-2fqx
ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-1647
EXPLOITfluidattacks.com/advisories/oliver/
PATCHpypi.org/project/pyhtml2pdf/
WEBfluidattacks.com/advisories/oliver