CVE-2026-24737

Medienbericht

Exploit

EPSS 0.01%
Veröffentlicht 02.02.2026 23:16:08
Zuletzt bearbeitet 18.02.2026 15:02:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parall ≫ Jspdf SwPlatformnode.js Version < 4.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.018

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://www.heise.de/news/HCL-BigFix-Angreifer-koennen-auf-Daten-im-Dateisystem-zugreifen-11196966.html

Medienbericht

heise Security

03.03.2026 14:25

https://github.com/parallax/jsPDF/releases/tag/v4.1.0

Release Notes

https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79

Patch

https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-24737