CVE-2024-38526

HIGH EXPLOITED NUCLEI

pdoc <14.5.1 - Open Redirect

Title source: llm

Description

pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.

Exploits (2)

nomisec SCANNER 6 stars

by padayali-JD · poc

https://github.com/padayali-JD/pollyscan

View Code ZIP pw:eip

nomisec SCANNER

by putget · poc

https://github.com/putget/CVE-2024-38526

View Code ZIP pw:eip

Nuclei Templates (1)

Polyfill Supply Chain Attack Malicious Code Execution

HIGHby abut0n

References (4)

[Various Sources] https://sansec.io/research/polyfill-supply-chain-attack

[Third Party Advisory] https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526

[Issue Tracking] https://github.com/mitmproxy/pdoc/pull/703

[Vendor Advisory] https://github.com/mitmproxy/pdoc/security/advisories/GHSA-5vgj-ggm4-fg62

Scores

CVSS v3 7.2

EPSS 0.8253

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

Details

VulnCheck KEV 2024-07-09

CWE

CWE-1395

Status published

Products (2)

mitmproxy/pdoc < 14.5.1

pypi/pdoc 0 - 14.5.1PyPI

Published Jun 26, 2024

Tracked Since Feb 18, 2026