Description
User control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions.
If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with..
Recommendation
Update the jspdf package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.2.0
- Patched version(s): 4.2.1
References
Related Issues
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
- jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution - CVE-2026-24737
- jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" pr - CVE-2026-25940
- i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - CVE-2026-41691
You might also like:
- Tags:
- npm
- jspdf
Anything's wrong? Let us know Last updated on March 19, 2026