Hi Dmitry,
even their own website
https://wkhtmltopdf.org/status.html
says:
Do not use wkhtmltopdf with any untrusted HTML – be sure to sanitize any user-supplied HTML/JS, otherwise it can lead to complete takeover of the server it is running on! Please consider using a Mandatory Access Control system like AppArmor or SELinux, see recommended AppArmor policy.
Wouldn't it be more than enough or a reason to throw this out of debian/ubuntu, until they fixed this?
regards
Hadmut