jsreport is vulnerable to remote code execution (RCE). Of a variety of packages it consists, the Script-manager
utilized for running user’s scripts in a sandbox has an unintended require vulnerability and Puppeteer
utilized for turning user’s HTML into pdf files has SSRF (Server Side Request Forgery) vulnerability. An attacker can exploit both vulnerabilities to launch remote code execution.