What is the CVSS score of CVE-2026-24040?

CVE-2026-24040 has a CVSS 3.1 base score of 4.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Node.js are affected by CVE-2026-24040?

Organizations using JavaScript. should be aware of moderate risk from CVE-2026-24040, a race condition vulnerability rated CVSS 4.8.. A patch is available.

Is there a public PoC exploit available for CVE-2026-24040?

Yes, a public proof-of-concept exploit is available for CVE-2026-24040. Prioritise patching immediately. EPSS: 0.0%.

Node.js CVE-2026-24040

MEDIUM

Race Condition (CWE-362)

2026-02-02 security-advisories@github.com

GHSA-cjw8-79x6-5cj4

Node.js Race Condition Red Hat Jspdf

4.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:01 vuln.today

PoC Detected

Feb 18, 2026 - 14:42 vuln.today

Public exploit code

Patch released

Feb 18, 2026 - 14:42 nvd

Patch available

CVE Published

Feb 02, 2026 - 23:16 nvd

MEDIUM 4.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

5 npm packages depend on jspdf (3 direct, 2 indirect)

Ecosystem-wide dependent count for version 4.1.0.

DescriptionNVD

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0.

AnalysisAI

jsPDF versions prior to 4.1.0 contain a race condition in the addJS method where a shared module-scoped variable is overwritten during concurrent PDF generation, causing JavaScript payloads and embedded data intended for one user to be included in another user's generated PDF. This cross-user data leakage primarily affects server-side Node.js deployments handling simultaneous requests, allowing attackers to access sensitive information leaked across user sessions. …

RemediationAI

Within 30 days: Identify affected systems running JavaScript. and apply vendor patches as part of regular patch cycle. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory