The article on our research from the first half of this year is finally published: Blind trust: what is hidden behind the process of creating your PDF file?
We looked at popular HTML-to-PDF conversion libraries across PHP, JavaScript, and Java — and found 13 vulnerabilities, 7 intentional behaviors, and 6 potential misconfigurations. Bugs in PDF generators aren’t as fat as they used to be, but they still fire in real engagements from time to time.
For reference, here’s a presentation (PDF) showcasing PDF generator bugs from a couple of years ago — back then the impact was significantly more critical. Shows how much the landscape has changed.