VulnerableCode Package Details - pkg:deb/debian/python-reportlab@3.5.59-2

Search for packages

Vulnerability	Summary	Fixed by
VCID-vz5z-udbg-vufv Aliases: CVE-2023-33733 GHSA-9q9m-c65c-37pq	Reportlab vulnerable to remote code execution Reportlab up to and including v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.	3.6.12-1+deb12u1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-vz5z-udbg-vufv
Aliases:
CVE-2023-33733
GHSA-9q9m-c65c-37pq

Reportlab vulnerable to remote code execution Reportlab up to and including v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.

3.6.12-1+deb12u1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7ae4-65em-sbdg	ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.	CVE-2019-17626 GHSA-qpg2-vx7j-3869 PYSEC-2019-117
VCID-gn2v-c44r-7bc8	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.	CVE-2019-19450 GHSA-pj98-2xf6-cff5
VCID-jkaa-rknn-p7au	url request injection	CVE-2020-28463 GHSA-mpvw-25mg-59vx PYSEC-2021-146 SNYK-PYTHON-REPORTLAB-1022145

Vulnerability

Summary

Aliases

VCID-7ae4-65em-sbdg

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

CVE-2019-17626
GHSA-qpg2-vx7j-3869
PYSEC-2019-117

VCID-gn2v-c44r-7bc8

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.

CVE-2019-19450
GHSA-pj98-2xf6-cff5

VCID-jkaa-rknn-p7au

url request injection

CVE-2020-28463
GHSA-mpvw-25mg-59vx
PYSEC-2021-146
SNYK-PYTHON-REPORTLAB-1022145

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T09:35:17.497685+00:00	Debian Oval Importer	Affected by	VCID-vz5z-udbg-vufv	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T02:38:56.422978+00:00	Debian Oval Importer	Fixing	VCID-7ae4-65em-sbdg	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T01:42:21.221395+00:00	Debian Oval Importer	Fixing	VCID-gn2v-c44r-7bc8	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-02T00:10:28.021640+00:00	Debian Oval Importer	Fixing	VCID-jkaa-rknn-p7au	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0