### [CVE-2024-38526](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38526)
![](https://img.shields.io/static/v1?label=Product&message=pdoc&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%2014.5.1%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-1395%3A%20Dependency%20on%20Vulnerable%20Third-Party%20Component&color=brighgreen)

### Description

pdoc provides API Documentation for Python Projects. Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. This issue has been fixed in pdoc 14.5.1.

### POC

#### Reference
- https://www.vicarius.io/vsociety/posts/polyfillio-in-pdoc-cve-2024-38526

#### Github
- https://github.com/padayali-JD/pollyscan
- https://github.com/plzheheplztrying/cve_monitor
- https://github.com/putget/CVE-2024-38526