CVE-2026-22787
MEDIUM
GHSA-w8x4-x68c-m6fc
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4Tags
Description
html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in [email protected].
Analysis
html2pdf.js versions prior to 0.14.0 fail to sanitize text input before inserting it into the DOM, enabling stored or reflected XSS attacks that compromise client-side data confidentiality and integrity. Attackers can inject malicious scripts that execute in users' browsers when the library processes untrusted text sources, and public exploit code is available. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today