8.1

CVE-2026-24737

Medienbericht
Exploit

jsPDF has a PDF Injection in AcroFormChoiceField which allows Arbitrary JavaScript Execution

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ParallJspdf SwPlatformnode.js Version < 4.1.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.46% 0.361
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
03.03.2026 14:25
https://github.com/parallax/jsPDF/releases/tag/v4.1.0
Release Notes
https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79
Patch
https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328
Vendor Advisory
Exploit