VulnerableCode Package Details - pkg:pypi/reportlab@2.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-7ae4-65em-sbdg Aliases: CVE-2019-17626 GHSA-qpg2-vx7j-3869 PYSEC-2019-117	ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.	3.5.28 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-gn2v-c44r-7bc8 Aliases: CVE-2019-19450 GHSA-pj98-2xf6-cff5	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.	3.5.31 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-jkaa-rknn-p7au Aliases: CVE-2020-28463 GHSA-mpvw-25mg-59vx PYSEC-2021-146 SNYK-PYTHON-REPORTLAB-1022145	url request injection	3.5.55 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-u1pp-ngnq-ybar Aliases: PYSEC-2019-47	ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.	3.5.28 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-vz5z-udbg-vufv Aliases: CVE-2023-33733 GHSA-9q9m-c65c-37pq	Reportlab vulnerable to remote code execution Reportlab up to and including v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.	3.6.13 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-7ae4-65em-sbdg
Aliases:
CVE-2019-17626
GHSA-qpg2-vx7j-3869
PYSEC-2019-117

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

3.5.28
Affected by 3 other vulnerabilities.

VCID-gn2v-c44r-7bc8
Aliases:
CVE-2019-19450
GHSA-pj98-2xf6-cff5

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.

3.5.31
Affected by 2 other vulnerabilities.

VCID-jkaa-rknn-p7au
Aliases:
CVE-2020-28463
GHSA-mpvw-25mg-59vx
PYSEC-2021-146
SNYK-PYTHON-REPORTLAB-1022145

url request injection

3.5.55
Affected by 1 other vulnerability.

VCID-u1pp-ngnq-ybar
Aliases:
PYSEC-2019-47

ReportLab through 3.5.26 allows remote code execution because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted XML document with '<span color="' followed by arbitrary Python code.

3.5.28
Affected by 3 other vulnerabilities.

VCID-vz5z-udbg-vufv
Aliases:
CVE-2023-33733
GHSA-9q9m-c65c-37pq

Reportlab vulnerable to remote code execution Reportlab up to and including v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.

3.6.13
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T04:08:42.290787+00:00	GitLab Importer	Affected by	VCID-gn2v-c44r-7bc8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/reportlab/CVE-2019-19450.yml	38.6.0
2026-06-06T03:48:03.155888+00:00	GitLab Importer	Affected by	VCID-vz5z-udbg-vufv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/reportlab/CVE-2023-33733.yml	38.6.0
2026-06-06T02:23:14.435297+00:00	GitLab Importer	Affected by	VCID-7ae4-65em-sbdg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/reportlab/CVE-2019-17626.yml	38.6.0
2026-06-05T16:56:50.383224+00:00	PyPI Importer	Affected by	VCID-jkaa-rknn-p7au	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-05T16:55:33.490557+00:00	PyPI Importer	Affected by	VCID-7ae4-65em-sbdg	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-05T16:55:33.401362+00:00	PyPI Importer	Affected by	VCID-u1pp-ngnq-ybar	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-05T16:27:02.530636+00:00	GHSA Importer	Affected by	VCID-jkaa-rknn-p7au	https://github.com/advisories/GHSA-mpvw-25mg-59vx	38.6.0
2026-06-04T20:47:48.137080+00:00	GitLab Importer	Affected by	VCID-jkaa-rknn-p7au	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/reportlab/CVE-2020-28463.yml	38.6.0
2026-06-04T18:54:01.477876+00:00	GHSA Importer	Affected by	VCID-7ae4-65em-sbdg	https://github.com/advisories/GHSA-qpg2-vx7j-3869	38.6.0
2026-06-02T04:08:22.153105+00:00	Pypa Importer	Affected by	VCID-jkaa-rknn-p7au	https://github.com/pypa/advisory-database/blob/main/vulns/reportlab/PYSEC-2021-146.yaml	38.6.0
2026-06-02T04:05:55.281744+00:00	Pypa Importer	Affected by	VCID-7ae4-65em-sbdg	https://github.com/pypa/advisory-database/blob/main/vulns/reportlab/PYSEC-2019-117.yaml	38.6.0