CVE 8.7 HIGH

html2pdf.js has a cross-site scripting vulnerability_CVE-2026-22787

January 14, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Description

html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in [email protected].

AI Analysis

Cross-site scripting (XSS) vulnerability in html2pdf.js prior to 0.14.0, allowing malicious scripts to run on the client browser

Basic Information

ID CVE-2026-22787

Source GitHub_M

Published Jan 14, 2026 at 16:52

Affected Product

Vendor eKoopmans

Product html2pdf.js

Version < 0.14.0

Affected Versions eKoopmans html2pdf.js < 0.14.0

CWE Classification

CWE-79

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor eKoopmans

Product html2pdf.js

Version < 0.14.0

References

{
    "lastseen": "",
    "description": "html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in [email protected].",
    "published": "2026-01-14T16:52:38.372Z",
    "modified": "2026-01-14T16:52:38.372Z",
    "type": "cve",
    "title": "html2pdf.js has a cross-site scripting vulnerability",
    "source": "GitHub_M",
    "references": "https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc\nhttps://github.com/eKoopmans/html2pdf.js/issues/865\nhttps://github.com/eKoopmans/html2pdf.js/pull/877\nhttps://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b\nhttps://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0",
    "id": "CVE-2026-22787",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "eKoopmans html2pdf.js < 0.14.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "html2pdf.js",
    "version": "< 0.14.0",
    "vendor": "eKoopmans",
    "ai_description": "Cross-site scripting (XSS) vulnerability in html2pdf.js prior to 0.14.0, allowing malicious scripts to run on the client browser",
    "ai_severity": "High",
    "ai_vendor": "eKoopmans",
    "ai_product": "html2pdf.js",
    "ai_version": "< 0.14.0",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply