CVE-2026-31898
HIGH
GHSA-7x6v-j9x4-qf24
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Tags
Description
### Impact User control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with.. * `createAnnotation`: `color` parameter Example attack vector: ```js import { jsPDF } from 'jspdf' const doc = new jsPDF(); const payload = '000000) /AA <</E <</S /Launch /F (calc.exe)>>>> ('; doc.createAnnotation({ type: 'freetext', bounds: { x: 10, y: 10, w: 120, h: 20 }, contents: 'hello', color: payload }); doc.save('test.pdf'); ``` ### Patches The vulnerability has been fixed in [email protected]. ### Workarounds Sanitize user input before passing it to the vulnerable API members.
Analysis
A code injection vulnerability in the jsPDF library allows attackers to inject arbitrary PDF objects, including malicious JavaScript actions, through unsanitized user input to the createAnnotation method. The vulnerability affects jsPDF versions prior to 4.2.1 and enables remote attackers to execute arbitrary code when a victim opens or interacts with a maliciously crafted PDF file. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications and systems using jsPDF library and assess which are exposed to untrusted user input via the createAnnotation method. Within 7 days: Apply jsPDF patch version 4.2.1 or later across all affected systems, prioritizing customer-facing and internal applications that process user-supplied PDF data. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today