jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method
- Severity:
- High
Description
User control of the argument of the addJS method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF.
Recommendation
Update the jspdf package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.2.0
- Patched version(s): 4.2.0
References
Related Issues
- jsPDF has a PDF Object Injection via FreeText color - CVE-2026-31898
- jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution - CVE-2026-24737
- jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" pr - CVE-2026-25940
- Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction - CVE-2026-31828
- Tags:
- npm
- jspdf
Anything's wrong? Let us know Last updated on February 19, 2026