Skip to main content

CVE-2026-31938

| EUVDEUVD-2026-12755 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-17 https://github.com/parallax/jsPDF GHSA-wfv2-pwc8-crg5
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Red Hat
8.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Severity Changed
Jun 30, 2026 - 03:24 NVD
CRITICAL MEDIUM
CVSS changed
Jun 30, 2026 - 03:24 NVD
9.6 (CRITICAL) 6.1 (MEDIUM)
EUVD ID Assigned
Mar 17, 2026 - 20:30 euvd
EUVD-2026-12755
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 17:07 nvd
CRITICAL 9.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 501 npm packages depend on jspdf (326 direct, 177 indirect)

Ecosystem-wide dependent count for version 4.2.1.

DescriptionNVD

Impact

User control of the options argument of the output function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The affected overloads and options are:

  • "pdfobjectnewwindow": the pdfObjectUrl option and the entire options object, which is JSON-serialized and included verbatim in the generated HTML-string.
  • "pdfjsnewwindow": the pdfJsUrl and filename options
  • "dataurlnewwindow": the filename option

The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) to the attack victim. The victim creates and opens a PDF with the attack vector using one of the vulnerable method overloads inside their browser. The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context.

Example attack vector:

js
import { jsPDF } from 'jspdf';
const doc = new jsPDF();

const payload =  'x\"></iframe><script>window.__n=1</script><iframe src="';

doc.output('pdfjsnewwindow', {
  filename: payload,
  pdfJsUrl: 'viewer.html'
});

Patches

The vulnerability has been fixed in jspdf@4.2.1.

Workarounds

Sanitize user input before passing it to the output method.

AnalysisAI

HTML injection in PDF output functions allows remote attackers to execute arbitrary scripts in the browser context where generated PDFs are opened, exploitable when untrusted user input is passed unsanitized to the pdfObjectUrl, pdfJsUrl, or filename options. An attacker can craft malicious values through a web interface that, when used by victims to generate and open PDFs, execute arbitrary JavaScript in their browser with high impact on confidentiality and integrity. A patch is available to remediate this critical vulnerability affecting all users who process user-controlled PDF output parameters.

Technical ContextAI

The jsPDF library (npm:jspdf) is a popular JavaScript library for generating PDF documents in web applications. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), where user-controlled options passed to the output function are included directly in generated HTML without proper sanitization. The affected methods include pdfobjectnewwindow, pdfjsnewwindow, and dataurlnewwindow output overloads, where options like pdfObjectUrl, pdfJsUrl, and filename parameters can contain malicious scripts that execute when the PDF is opened in a browser context.

RemediationAI

Upgrade jsPDF to version 4.2.1 or later, which contains the security fix (commit 87a40bbd07e6b30575196370670b41f264aa78d7). The patched version is available at https://github.com/parallax/jsPDF/releases/tag/v4.2.1. As an immediate workaround, sanitize all user input before passing it to the jsPDF output method, particularly the filename, pdfObjectUrl, and pdfJsUrl parameters. Implement content security policies (CSP) to limit the impact of any successful XSS attacks and validate that user-controlled data cannot reach the vulnerable output methods.

Vendor StatusVendor

Share

CVE-2026-31938 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy