jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution

Description

User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.

Recommendation

Update the jspdf package to the latest compatible version. Followings are version details:

• Affected version(s): <= 4.0.0
• Patched version(s): 4.1.0

References

• GHSA-pqxr-3g65-p328
• CVE-2026-24737
• CWE-116
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" pr - CVE-2026-25940
• Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click - CVE-2026-43941
• jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
• Electerm runWidget has a path traversal that leads to arbitrary code execution - CVE-2026-43940

You might also like:

How to Secure your NodeJs Express Javascript Application - part 2

How do hackers hack websites?

SmartScanner 2.3: Smarter JavaScript Detection, Faster Scans, and Powerful CLI Enhancements

Tags:

npm

jspdf