jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method

Severity:: High

Description

User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.

Recommendation

Update the jspdf package to the latest compatible version. Followings are version details:

Affected version(s): < 4.2.0
Patched version(s): 4.2.0

References

GHSA-9vjf-qc39-jprp
CVE-2026-25755
CWE-116
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

jsPDF has a PDF Object Injection via FreeText color - CVE-2026-31898
jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution - CVE-2026-24737
i18next-locize-backend has URL Injection via Unsanitized Path Parameters - CVE-2026-41885
Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280

How do hackers hack websites?

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; jspdf

Anything's wrong? Let us know Last updated on February 19, 2026