Cross-site Scripting (XSS)

Overview @pdfme/schemas is a TypeScript base PDF generator and React base UI. Open source, developed by the community, and completely free to use under the MIT license! Affected versions of this package are vulnerable to Cross-site Scripting XSS in the multiVariableText property panel when...

PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel

Summary The multiVariableText property panel in @pdfme/schemas constructs HTML via string concatenation and assigns it to innerHTML using unsanitized i18n label values. An attacker who can control label overrides passed through options.labels can inject arbitrary JavaScript that executes in the...

PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS

Summary The DecodeStream.ensureBuffer method in @pdfme/pdf-lib doubles its internal buffer without any upper bound on the decompressed size. A crafted PDF containing a FlateDecode stream with a high compression ratio decompression bomb causes unbounded memory allocation during stream decoding,...

@archbase/admin (>=4.0.0 <=4.0.1), @archbase/advanced (>=4.0.0 <=4.0.1) +10 more potentially affected by unknown CVE via @pdfme/schemas (>=5.5.10 <=5.5.8)

@pdfme/schemas NPM version =5.5.10, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =1.0.11, =0.20.0, =1.0.0, =0.31.0-EXPO-315-Marcelo-Tinelli.4, =0.0.1, =0.0.4 Source cves: unknown CVE Source advisory: SNYK:JS-PDFMESCHEMAS-15746949...

Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas

Summary The SVG schema plugin in @pdfme/schemas renders user-supplied SVG content using container.innerHTML = value without any sanitization, enabling arbitrary JavaScript execution in the user's browser. Details In packages/schemas/src/graphics/svg.ts, line 87, the SVG schema's ui renderer assig...

Cross-site Scripting (XSS)

Overview @pdfme/schemas is a TypeScript base PDF generator and React base UI. Open source, developed by the community, and completely free to use under the MIT license! Affected versions of this package are vulnerable to Cross-site Scripting XSS via the innerHTML method. An attacker can execute...

@archbase/admin (>=4.0.0 <=4.0.1), @archbase/advanced (>=4.0.0 <=4.0.1) +10 more potentially affected by unknown CVE via @pdfme/schemas (>=5.5.10 <=5.5.8)

@pdfme/schemas NPM version =5.5.10, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0, =1.0.11, =0.20.0, =1.0.0, =0.31.0-EXPO-315-Marcelo-Tinelli.4, =0.0.1, =0.0.4 Source cves: unknown CVE Source advisory: SNYK:JS-PDFMESCHEMAS-15746948...

CVE-2025-53626

pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1...

CVE-2025-53626

pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1...

CVE-2025-53626 pdfme has Sandbox Escape and Prototype Pollution vulnerabilities in pdfme expression evaluation

pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1...

CVE-2025-53626 pdfme has Sandbox Escape and Prototype Pollution vulnerabilities in pdfme expression evaluation

pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1...

CVE-2025-53626

CVE-2025-53626 affects pdfme (TypeScript/React) and its expression evaluation feature. Reported vulnerabilities in versions 5.2.0–5.4.0 allow sandbox escape enabling XSS and prototype pollution. The issues are mitigated in version 5.4.1. By exploiting the expression evaluator, an attacker could b...

CVE-2025-53626 pdfme has Sandbox Escape and Prototype Pollution vulnerabilities in pdfme expression evaluation

pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1...

GHSA-54XV-94QV-2GFG @pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation

Summary The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. Details 1. Sandbox Escape Leading to XSS The expression evaluator's sandbox can be bypassed to execute arbitrary JavaScript...

PDFME 安全漏洞

PDFME is an open source PDF generation library built with TypeScript and React by pdfme open source. A security vulnerability exists in PDFME versions 5.2.0 through 5.4.0, which stems from an expression evaluation feature that could lead to a sandbox escape, triggering cross-site scripting and...