CVE-2026-31898

Summary

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the createAnnotation: color parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.

Affected Software

VendorProductVersion RangeStatus
parallaxjsPDF< 4.2.1affected

Weaknesses

  • CWE-116: CWE-116: Improper Encoding or Escaping of Output

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

jspdf: jsPDF: Arbitrary code execution via unsanitized input in createAnnotation method

Additional References

References