Skip to main content

CVE-2026-31898

MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-03-17 https://github.com/parallax/jsPDF GHSA-7x6v-j9x4-qf24
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Red Hat
8.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Severity Changed
Jun 30, 2026 - 03:24 NVD
HIGH MEDIUM
CVSS changed
Jun 30, 2026 - 03:24 NVD
8.1 (HIGH) 6.5 (MEDIUM)
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 17:07 nvd
HIGH 8.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 501 npm packages depend on jspdf (326 direct, 177 indirect)

Ecosystem-wide dependent count for version 4.2.1.

DescriptionNVD

Impact

User control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with..

  • createAnnotation: color parameter

Example attack vector:

js
import { jsPDF } from 'jspdf'

const doc = new jsPDF();

const payload = '000000) /AA <</E <</S /Launch /F (calc.exe)>>>> (';

doc.createAnnotation({
  type: 'freetext',
  bounds: { x: 10, y: 10, w: 120, h: 20 },
  contents: 'hello',
  color: payload
});

doc.save('test.pdf');

Patches

The vulnerability has been fixed in jsPDF@4.2.1.

Workarounds

Sanitize user input before passing it to the vulnerable API members.

AnalysisAI

A code injection vulnerability in the jsPDF library allows attackers to inject arbitrary PDF objects, including malicious JavaScript actions, through unsanitized user input to the createAnnotation method. The vulnerability affects jsPDF versions prior to 4.2.1 and enables remote attackers to execute arbitrary code when a victim opens or interacts with a maliciously crafted PDF file. A proof-of-concept exploit is publicly available demonstrating how to launch system executables like calc.exe through PDF action injection.

Technical ContextAI

jsPDF is a popular JavaScript library for generating PDF documents in web browsers and Node.js environments, identified by CPE pkg:npm/jspdf. The vulnerability stems from improper output neutralization (CWE-116) in the createAnnotation method, specifically in how the 'color' parameter is processed without adequate sanitization. When creating PDF annotations, the library fails to properly escape or validate user-supplied input, allowing injection of raw PDF object syntax that can include action dictionaries with launch commands or JavaScript code that execute when the PDF is rendered or interacted with.

RemediationAI

Upgrade jsPDF to version 4.2.1 or later immediately, as confirmed in the vendor's security advisory at https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24 and release notes at https://github.com/parallax/jsPDF/releases/tag/v4.2.1. If immediate patching is not possible, implement strict input validation and sanitization for any user-supplied data passed to the createAnnotation method, particularly the color parameter, ensuring no PDF object syntax can be injected. Review all code paths that generate PDFs with user input and implement defense-in-depth measures such as content security policies for generated PDFs.

Vendor StatusVendor

Share

CVE-2026-31898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy