Description
WeasyPrint helps web developers to create PDF documents. Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even if `url_fetcher` is configured to prevent access to files and URLs. This vulnerability has been patched in version 61.2.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/ZLQZMOEDY72TS43HDXOBVID2VYCTWIH6/
Vendor Advisory x_refsource_confirm
https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-35jj-wx47-4w8r
Scores
CVSS v3
7.4
EPSS
0.0063
EPSS Percentile
45.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-829
Status
published
Products (3)
fedoraproject/fedora
40
kozea/weasyprint
61.0 - 61.2
pypi/weasyprint
61.0 - 61.2PyPI
Published
Mar 09, 2024
Tracked Since
Feb 18, 2026