jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)
- Severity:
- Medium
Description
User control of the first argument of the addMetadata function allows users to inject arbitrary XML.
If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF.
Recommendation
Update the jspdf package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.0.0
- Patched version(s): 4.1.0
References
Related Issues
- jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution - CVE-2026-24737
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- jsPDF has a PDF Object Injection via FreeText color - CVE-2026-31898
- Tags:
- npm
- jspdf
Anything's wrong? Let us know Last updated on February 03, 2026