reportlab

PyPI4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting reportlabpage 1 of 1

CVE-2019-17626CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.5.28
2019-10-16
vulnerable: 2.0 ... 3.5.26 (32 versions)
ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.
CVE-2019-19450CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.5.31
2023-09-20
vulnerable: 2.0 ... 3.5.9 (33 versions)
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python cod…
CVE-2020-28463MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.5.55
2021-02-18
vulnerable: 2.0 ... 3.5.9 (48 versions)
All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Downlo…
CVE-2023-33733HIGHCVSS 7.8EG 7.8✓ Fixed in 3.6.13
2023-06-05
vulnerable: 2.0 ... 3.6.9 (72 versions)
Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.

Check whether reportlab is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for reportlab CVEs against the assets you own.

Start Free Scan →