Cyber Resilience

CVE-2024-38526

High

Published: 26 June 2024

Published
26 June 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
EPSS Score 0.8287 99.3th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-38526 is a high-severity an unspecified weakness vulnerability in Sansec (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

pdoc is a tool that generates API documentation for Python projects. When invoked with the --math flag, affected versions embed references to JavaScript files hosted on the polyfill.io CDN; after the CDN was acquired, it began serving malicious code, creating a supply-chain exposure for any documentation built with that option. The issue is tracked as CVE-2024-38526 and carries a CVSS 3.1 score of 7.2.

An attacker who compromises or controls the polyfill.io domain can deliver arbitrary JavaScript to any user who views HTML documentation generated by an unpatched pdoc run with --math. Because the CDN reference is included at generation time and requires no authentication or user interaction beyond loading the page, the exposure affects both the documentation authors and all downstream viewers across network boundaries.

The project addressed the problem in release 14.5.1 by removing the dependency on polyfill.io. The accompanying GitHub Security Advisory and pull request 703 recommend upgrading immediately and regenerating documentation with the patched version; no further configuration changes are required. The EPSS score has remained elevated near its recorded peak of 0.86.

EU & UK References

Vulnerability details

pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Sansec
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References