CVE-2026-36576

An attacker can send a crafted POST request with JSON data containing malicious options. These options can include command substitutions or chained commands, which are then passed to a shell interpreter. The application uses these options to construct a command for wkhtmltopdf, leading to arbitrary command execution as root on the server [ref_id=1].

The vulnerability lies within the app.py component, specifically in the loop that constructs the arguments for the wkhtmltopdf command. User-supplied options are appended to the `args` list and then joined into a string which is passed to the `execute()` function for shell evaluation [ref_id=1].

The advisory recommends replacing the use of `execute(' '.join(args))` with `subprocess.run(args)` which does not evaluate the string via a shell. Additionally, it suggests implementing an allowlist for permitted wkhtmltopdf options and validating their values to prevent injection [ref_id=1].

curl -X POST -H "Content-Type: application/json" -d '{"contents":"PGh0bWw+PGJvZHk+PC9ib2R5PjwvaHRtbD4=","options":{"margin-top":"$(id > /tmp/pwned.txt)""}}' http://TARGET:PORT/ curl -X POST -H "Content-Type: application/json" -d '{"contents":"PGh0bWw+PGJvZHk+PC9ib2R5PjwvaHRtbD4=","options":{"margin-top 0; id > /tmp/pwned2.txt;":""}}' http://TARGET:PORT/