What is GHSA-9g3x-6x24-vf9f?

GHSA-9g3x-6x24-vf9f is a security advisory published by GitHub Security Advisories with High severity. pdfkit: Path traversal in from_string

Which CVE IDs does GHSA-9g3x-6x24-vf9f cover?

GHSA-9g3x-6x24-vf9f covers the following CVE IDs: CVE-2025-26240. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-9g3x-6x24-vf9f?

GHSA-9g3x-6x24-vf9f has a CVSS v3 base score of 8.4, published by GitHub Security Advisories.

Which products are affected by GHSA-9g3x-6x24-vf9f?

GHSA-9g3x-6x24-vf9f affects 1 product, including: pip/pdfkit:\u003c= 1.0.0.

GHSA-9g3x-6x24-vf9fHighCVSS 8.4

pdfkit: Path traversal in from_string

Vendor

GitHub Security Advisories

Published

June 17, 2026

Last Modified

June 18, 2026

🔗 CVE IDs covered (1)

CVE-2025-26240 →

📋 Description

In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.

🎯 Affected products1

pip/pdfkit:<= 1.0.0

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2025-26240
https://habuon.github.io/2025/03/12/pdfkit-vulnerability-%28CVE-2025-26240%29.html
https://www.csirt.gov.sk/the-python-pdfkit-library-vulnerability.html
https://github.com/advisories/GHSA-9g3x-6x24-vf9f