Axel
26 articles by Axel
Germany B2B e-invoicing January 2027: developer checklist at T-6 months
Germany's mandatory B2B e-invoicing for €800k+ turnover starts Jan 1 2027. XRechnung, ZUGFeRD 2.1+, Peppol BIS: which format, what to ship today.
Cloudflare Project Think: can a sandboxed agent generate a PDF?
Cloudflare Project Think launched durable agents with sandboxed JS workers and no network by default. We test what PDF generation patterns survive.
CVE-2026-8000: ChromeDriver RCE puts CI PDF pipelines at risk
CVE-2026-8000 lets a crafted HTML page take over Selenium Grid + ChromeDriver on Windows. Chrome 148.0.7778.96 patches it. APT exploit confirmed.
CVE-2026-25755: jsPDF object injection turns addJS into an AcroJS bypass
CVE-2026-25755 in jsPDF lets attacker strings break out of addJS() and inject PDF objects, bypassing the AcroJS sandbox. CVSS 8.8, fixed in jspdf 4.2.0.
CVE-2026-4430: LibreOffice OOXML overflow breaks headless DOCX-to-PDF
CVE-2026-4430 is an OOXML salt-mismatch out-of-bounds write in LibreOffice, fixed in 26.2.3 / 25.8.7. Why headless soffice in production needs sandboxing now.
CVE-2026-1592: stored XSS in Foxit PDF Editor Cloud's New Layer feature
CVE-2026-1592 is a stored XSS in Foxit PDF Editor Cloud's Create New Layer. CVSS 6.3, patched Feb 2026. What it means for teams sharing PDFs across orgs.
Factur-X and ZUGFeRD: the September 2026 e-invoicing deadline in France
France flips B2B e-invoicing on September 1, 2026. Practical guide to Factur-X 1.07.3, ZUGFeRD 2.3.3, profile selection, CII XML, and PDF/A-3 embedding.
CVE-2026-44439: SSRF in HTML-to-PDF is an underrated whole class
CVE-2026-44439 lets attacker HTML reach private IPs and file:// URLs during page capture. Every HTML-to-PDF API has this exposure. Detect, mitigate, harden.
CVE-2026-2441: your Playwright HTML-to-PDF pipeline is still vulnerable
CVE-2026-2441 is an actively exploited Chromium CSS use-after-free, fixed in Chrome 145.0.7632.75. Playwright bundles older Chromium for weeks. Detect, patch, harden.
When your invoice PDF executes shell commands: prompt injection defense
Microsoft confirmed RCE chains from PDF prompt injection on May 7, 2026 (CVE-2026-25592, CVE-2026-26030). Concrete defenses for agent pipelines that ingest user-uploaded PDFs.
EU e-invoicing mandates 2026: a developer guide
Belgium, Poland and France flip mandatory B2B e-invoicing in 2026. What developers need to ship: EN 16931 XML, Factur-X PDF/A-3, KSeF FA(3), Peppol BIS 3.0.
CVE-2026-42593: Gotenberg watermark and stamp routes leak arbitrary PDFs
CVE-2026-42593 is an unauthenticated arbitrary PDF read in Gotenberg 8.31.0 and earlier, exposed by stampExpression and watermarkExpression on six conversion routes. Self-hosters affected, managed APIs unaffected.
n8n community nodes: publishing with npm provenance
From May 1, 2026, every verified n8n community node must ship with npm provenance built on GitHub Actions. A four-step migration guide with the PDF4.dev worked example.
Chrome Headless Shell vs full Chromium for PDF generation
Chrome 132 removed the old headless mode. chrome-headless-shell is the lean replacement. Here is when to migrate for PDF rendering, and when to stay.
pdf-lib vs jsPDF vs PDFKit: JavaScript PDF libraries compared
Honest comparison of the three main JavaScript PDF libraries: pdf-lib for manipulation, jsPDF for client-side rendering, PDFKit for server-side streaming. Feature matrix, code samples, and when to pick each.
MCP 2026 roadmap explained: what server builders should do now
The Model Context Protocol 2026 roadmap names four priorities. Here is what changes for MCP server builders, and which patterns to adopt today.
Anthropic Agent Skills explained, with a PDF generation example
What Agent Skills are, how they differ from MCP servers and system prompts, and a worked example of shipping a Skill that generates PDFs from prompts.
CVE-2026-23869: a developer's guide to the Next.js RSC DoS
CVE-2026-23869 (CVSS 7.5) lets a single HTTP request burn a minute of CPU on any Next.js App Router endpoint. Detect, patch, and harden your PDF pipeline.
CVE-2026-5287: a developer's guide to the Chromium PDF use-after-free
CVE-2026-5287 is a high-severity use-after-free in Chromium's PDF engine, fixed in Chrome 146.0.7680.178. Detect, patch, and harden Puppeteer, Playwright, Docker, and Lambda.
CVE-2026-34621: Adobe Acrobat zero-day exploited via crafted PDFs
CVE-2026-34621 is a prototype pollution zero-day in Adobe Acrobat and Reader, exploited in the wild since December 2025. CISA KEV deadline was April 27, 2026. Patch, mitigations, and what server-side PDF pipelines should change today.
Playwright vs WeasyPrint: PDF generation in Python (2026 comparison)
Playwright vs WeasyPrint for Python PDF generation: real performance numbers, CSS coverage, JavaScript support, and how to pick for Django, Flask, or FastAPI in 2026.
PDF/A explained: versions, requirements, and how to create archival files
PDF/A is the ISO 19005 standard for long-term PDF archival. Covers PDF/A-1, -2, and -3 differences, technical restrictions, and how to create and validate compliant files.
iLovePDF vs Smallpdf vs PDF4.dev: which free PDF tool is best in 2026?
Compare iLovePDF, Smallpdf, and PDF4.dev on privacy, limits, tools, and developer features. Find the best free PDF tool for your use case in 2026.
Best PDF generation APIs in 2026: a developer comparison
Compare the best PDF generation APIs in 2026: PDF4.dev, PDFMonkey, DocRaptor, Gotenberg, and wkhtmltopdf. Pricing, features, and code examples.
Playwright vs Puppeteer for PDF generation: a practical comparison (2026)
Playwright vs Puppeteer for PDF generation: API differences, CSS support, performance benchmarks, and when to use a managed PDF API instead.
HTML to PDF benchmark 2026 (Playwright vs Puppeteer vs WeasyPrint)
Playwright vs Puppeteer vs WeasyPrint: real HTML-to-PDF latency and file size, Node.js and Python usage, macOS and Linux, plus the production gotchas inside.