PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled

Summary The getB64BasePdf function in @pdfme/common fetches arbitrary URLs via fetch without any validation when basePdf is a non-data-URI string and window is defined. An attacker who can control the basePdf field of a template e.g., through a web application that accepts user-supplied templates...

PT-2026-3555

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private key jwt. The issue allows a client to specify an arbitrary jwks uri,...