jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)
- Severity:
- Medium
Description
User control of the first argument of the addMetadata function allows users to inject arbitrary XML.
If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF.
Recommendation
Update the jspdf package to the latest compatible version. Followings are version details:
- Affected version(s): <= 4.0.0
- Patched version(s): 4.1.0
References
Related Issues
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection - CVE-2026-44724
- claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh - CVE-2026-45136
- Strapi Vulnerable to SQL Injection in Content Type Builder - @strapi/content-type-builder - CVE-2026-22599
You might also like:
- Tags:
- npm
- jspdf
Anything's wrong? Let us know Last updated on February 03, 2026