What is the CVSS score of CVE-2026-24737?

CVE-2026-24737 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Jspdf are affected by CVE-2026-24737?

jsPDF versions prior to 4.1.0 contain a vulnerability allowing attackers to inject malicious JavaScript into PDF documents through the Acroform module.. A patch is available.

Is there a public PoC exploit available for CVE-2026-24737?

Yes, a public proof-of-concept exploit is available for CVE-2026-24737. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-24737?

Within 24 hours: Inventory all applications and systems using jsPDF and document current versions in use. Within 7 days: Update all instances of jsPDF to version 4.1.0 or later across development, staging, and production environments. Within 30 days: Conduct vulnerability scanning and penetration testing to confirm remediation and identify any exploitation attempts in logs.

Jspdf CVE-2026-24737

HIGH

Improper Encoding or Escaping of Output (CWE-116)

2026-02-02 security-advisories@github.com

GHSA-pqxr-3g65-p328

XSS Jspdf Red Hat

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Red Hat

8.3 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:01 vuln.today

PoC Detected

Feb 18, 2026 - 15:02 vuln.today

Public exploit code

Patch released

Feb 18, 2026 - 15:02 nvd

Patch available

CVE Published

Feb 02, 2026 - 23:16 nvd

HIGH 8.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

4 npm packages depend on jspdf (2 direct, 2 indirect)

Ecosystem-wide dependent count for version 4.1.0.

DescriptionGitHub Advisory

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0.

AnalysisAI

PDF generation in jsPDF prior to version 4.1.0 allows injection of arbitrary PDF objects through unsanitized input passed to AcroForm module methods, enabling attackers to embed malicious JavaScript actions executed when victims open the generated documents. Public exploit code exists for this vulnerability affecting applications using vulnerable versions of the library. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker crafts malicious PDF input

Exploit

Pass unsanitized data to AcroformChoiceField.addOption

Execution

Inject arbitrary JavaScript PDF objects

Impact

Victim opens document triggering malicious script execution