CVE-2026-41653: Stored XSS > File Exfiltration in BentoPDF
One of the things I keep asking myself when I review source code is: “what is this application’s real attack surface?”. Not in the abstract sense (every application has attack surface), but in the concrete sense: if I get code execution here, what can I actually reach? What data moves through this thing, and where does it go? I found BentoPDF while working on a personal project. I was browsing GitHub looking for interesting open-source tools, stumbled across it, and thought: privacy-first, fully client-side PDF processor, WebAssembly, zero backend. Architecturally unusual. Worth a closer look. ...