Description
User control of the options argument of the output function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in.
Recommendation
Update the jspdf package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.2.0
- Patched version(s): 4.2.1
References
Related Issues
- jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution - CVE-2026-24737
- jsPDF has a PDF Object Injection via FreeText color - CVE-2026-31898
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
- SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581
- Tags:
- npm
- jspdf
Anything's wrong? Let us know Last updated on March 19, 2026