PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel

Severity:: Medium

Description

The multiVariableText property panel in @pdfme/schemas constructs HTML via string concatenation and assigns it to innerHTML using unsanitized i18n label values. An attacker who can control label overrides passed through options.labels can inject arbitrary JavaScript that executes in the context of any user who opens the Designer and selects a multiVariableText field with no {variables} in its text.

Recommendation

Update the @pdfme/schemas package to the latest compatible version. Followings are version details:

Affected version(s): <= 5.5.9
Patched version(s): 5.5.10

References

GHSA-xgx4-2wgv-4jhm
CWE-79
OWASP 2021-A3

Related Issues

Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas - Vulnerability
Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas - Vulnerability
PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled - Vulnerability
SCEditor has DOM XSS via emoticon URL/HTML injection - CVE-2026-25581

Tags:: npm; @pdfme/schemas

Anything's wrong? Let us know Last updated on March 20, 2026