CVE-2025-26240: pdfkit: Path traversal in from_string

June 17, 2026 (updated June 18, 2026)

In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.

References

github.com/advisories/GHSA-9g3x-6x24-vf9f
habuon.github.io/2025/03/12/pdfkit-vulnerability-%28CVE-2025-26240%29.html
nvd.nist.gov/vuln/detail/CVE-2025-26240
www.csirt.gov.sk/the-python-pdfkit-library-vulnerability.html

Code Behaviors & Features

Detect and mitigate CVE-2025-26240 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →