CVE-2026-43979: HTML Injection & SSRF in Local Deep Research PDF Export
Local Deep Research versions before 1.6.0 contain a vulnerability where user-supplied search queries and metadata are inserted directly into HTML without proper escaping before being converted to PDF. An authenticated user can inject HTML tags that trick the server into making unauthorized web requests (SSRF), bypassing existing security controls. The vulnerability requires valid credentials but poses moderate risk due to potential confidentiality impact.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.0 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-79, CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.0, PDFService._markdown_to_html() constructs an HTML document by interpolating user-controlled values — specifically title (sourced from research.title or research.query) and metadata key-value pairs — directly into an f-string without any HTML escaping. An authenticated attacker can craft a research query containing HTML special characters to inject arbitrary HTML tags into the document processed by WeasyPrint during PDF export. This injection can be chained to trigger a Server-Side Request Forgery (SSRF), bypassing the application's existing SSRF defenses in ssrf_validator.py. This vulnerability is fixed in 1.6.0.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-43979 is an HTML injection vulnerability in PDFService._markdown_to_html() that occurs when constructing documents for WeasyPrint PDF export. The function interpolates unsanitized user input—specifically research.title, research.query, and metadata key-value pairs—directly into an f-string template without HTML entity encoding. This allows authenticated attackers to inject arbitrary HTML/script content. The injection can be weaponized to bypass ssrf_validator.py protections by embedding SSRF payloads within HTML tags processed during PDF generation, enabling the attacker to trigger server-initiated requests to internal or external resources. The fix in version 1.6.0 implements proper HTML escaping of user-controlled values before document construction.
Business impact
Organizations running Local Deep Research prior to 1.6.0 face confidentiality risks if an attacker gains valid user credentials. A compromised or malicious internal user can abuse PDF export functionality to probe internal network topology, access metadata from internal services, or exfiltrate data through side-channel requests. While the vulnerability requires authentication, insider threats or credential compromise scenarios make this operationally relevant. PDF generation is typically a routine feature, making this vector inconspicuous compared to traditional network-facing exploits.
Affected systems
Local Deep Research versions prior to 1.6.0 are affected. The vulnerability requires an authenticated user account to exploit, limiting exposure to scenarios where credentials are compromised, shared, or held by malicious insiders. Installations running 1.6.0 or later are not vulnerable.
Exploitability
Exploitation requires valid authentication credentials and access to the research creation or query interface. An attacker must craft a specially-formed research query or metadata payload containing HTML special characters (e.g., angle brackets, script tags). The injection is reliable once the attacker initiates PDF export, making reproducibility high in controlled environments. However, real-world exploitation depends on credential availability. No public exploit code or active exploitation in the wild is documented.
Remediation
Upgrade Local Deep Research to version 1.6.0 or later, which patches PDFService._markdown_to_html() to properly escape HTML special characters in user-controlled inputs before document construction. Organizations unable to upgrade immediately should restrict PDF export functionality to trusted users only and monitor for suspicious patterns in generated PDFs or unusual outbound requests from the application server.
Patch guidance
Apply the upgrade to Local Deep Research 1.6.0 as soon as feasible. The patch addresses the root cause by implementing HTML entity encoding on all user-supplied values (title, query, metadata) before insertion into the f-string template. Verify patch deployment by confirming the application version in admin settings or logs, and conduct a brief functional test of PDF export to ensure no side effects. No database migrations or configuration changes are required.
Detection guidance
Monitor application logs for unusual patterns in research queries or metadata submissions containing HTML special characters (<, >, &, quotes, etc.). Track PDF export requests and cross-correlate with subsequent outbound HTTP/HTTPS requests from the application server to internal IP ranges or unexpected external hosts. Network-level detection can flag outbound connections from the application server that deviate from normal behavior. Web application firewalls (WAF) can inspect research query parameters for injected HTML/script tags, though signature-based detection may require tuning.
Why prioritize this
Despite a CVSS score of 5.0 (MEDIUM), this vulnerability warrants timely attention because: (1) it bypasses existing SSRF defenses, indicating a gap in security controls; (2) it leverages a routine feature (PDF export) that users may invoke frequently and without suspicion; (3) insider threats or credential compromise are common attack vectors; and (4) affected organizations may not immediately detect exploitation due to the legitimate-appearing PDF generation activity. Prioritize based on credential exposure risk and internal network sensitivity.
Risk score, explained
CVSS 3.1 score of 5.0 (MEDIUM) reflects: Network attack vector (N) due to remote accessibility of the web application; Low attack complexity (L) because payload construction is straightforward; Low privilege requirement (PR=L) due to authentication; No user interaction (UI=N); Changed scope (S=C) because the SSRF impact can affect other systems; Low confidentiality impact (C=L) from potential unauthorized data access; No integrity or availability impact. The score appropriately reflects the authentication gate and limited confidentiality risk, but does not account for the defense bypass or insider threat context that may elevate practical risk in specific deployments.
Frequently asked questions
Does this vulnerability require the attacker to be an administrator?
No. The vulnerability affects any authenticated user with access to the research creation or query interface and the ability to export to PDF. Administrative privileges are not required.
Can this vulnerability be exploited without network access to Local Deep Research?
No. The vulnerability requires network access to the application and valid authentication credentials. An attacker cannot exploit it remotely without compromising user credentials or gaining authorized access first.
What is the primary risk if an internal user exploits this vulnerability?
A malicious insider or attacker with compromised credentials can use injected HTML to trigger unauthorized requests to internal services or systems behind the firewall (SSRF), potentially accessing sensitive metadata or exfiltrating data. The attack bypasses the application's existing SSRF protections.
Will upgrading to 1.6.0 require downtime or data migration?
No. Version 1.6.0 is a security patch that fixes HTML escaping in the PDF export function. It does not require database schema changes or extended downtime. Standard application restart should suffice.
This analysis is provided for informational purposes to support security decision-making. It is based on the CVE description, CVSS vector, and disclosed technical details as of the publication date. No guarantee is made regarding the completeness or accuracy of this summary. Organizations should verify patch availability and compatibility with their specific deployment before applying updates. Active exploitation metrics and real-world threat context may evolve; consult threat intelligence feeds and vendor advisories for current information. This explainer does not constitute security advice or a substitute for professional assessment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1