What is the CVSS score of CVE-2026-25940?

CVE-2026-25940 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Jspdf are affected by CVE-2026-25940?

jsPDF versions prior to 4.2.0 contain a vulnerability allowing attackers to inject malicious JavaScript into PDF documents through the Acroform module, potentially enabling credential theft, malware…. A patch is available.

How to fix or mitigate CVE-2026-25940?

Within 24 hours: Identify all applications and systems using jsPDF and document their versions and deployment locations. Within 7 days: Test and deploy jsPDF version 4.2.0 or later in development and staging environments to validate compatibility. Within 30 days: Complete production deployment of patched version across all affected systems and verify no legacy versions remain in use.

Jspdf CVE-2026-25940

HIGH

Improper Encoding or Escaping of Output (CWE-116)

2026-02-19 security-advisories@github.com

GHSA-p5xg-68wr-hm3m

XSS Jspdf Red Hat

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Red Hat

9.6 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

Patch released

Feb 23, 2026 - 18:50 nvd

Patch available

CVE Published

Feb 19, 2026 - 16:27 nvd

HIGH 8.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 npm packages depend on jspdf (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.2.0.

DescriptionGitHub Advisory

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.

AnalysisAI

jsPDF versions prior to 4.2.0 allow attackers to inject arbitrary PDF objects including malicious JavaScript through unsanitized input to the Acroform module, which executes when users interact with form elements. An attacker who can control input passed to vulnerable API members can achieve code execution on the victim's system. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious PDF with unsanitized Acroform input

Exploit

Inject arbitrary JavaScript action into radio button

Execution

Victim opens PDF and hovers over button

Impact

JavaScript executes in PDF viewer context