CVE-2024-1647 HIGH

CVE-2024-1647: pyhtml2pdf 0.0.6 - Local File Read via Server Side XSS

Vendor Pyhtml2Pdf

Product pyhtml2pdf

Weakness CWE-79 · XSS

Published February 19, 2024

Last update December 3, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user.

Key dates

02Disclosure timeline

February 19, 2024 CVE published

December 3, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-1647 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2023-3691 layui HTML Attribute cross site scripting CVE-2020-36709 Page Builder: KingComposer < 2.9.4 - Stored Cross-Site Scripting CVE-2025-7802 PHPGurukul Complaint Management System complaint-search.php cross site scripting CVE-2025-32538 WordPress Easy Post Duplicator Plugin <= 1.0.1 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-12045 Orbit Fox Companion <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy