jsPDF has PDF Object Injection via Unsanitized Input in addJS...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Description

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in [email protected]. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.

Basic Information

ID CVE-2026-25755

Source GitHub_M

Published Feb 19, 2026 at 14:41

Affected Product

Vendor parallax

Product jsPDF

Version < 4.2.0

Affected Versions parallax jsPDF < 4.2.0

CWE Classification

CWE-94 CWE-116

References

{
    "lastseen": "",
    "description": "jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in [email protected]. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.",
    "published": "2026-02-19T14:41:46.941Z",
    "modified": "2026-02-19T14:41:46.941Z",
    "type": "cve",
    "title": "jsPDF has PDF Object Injection via Unsanitized Input in addJS Method",
    "source": "GitHub_M",
    "references": "https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp\nhttps://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437\nhttps://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md\nhttps://github.com/parallax/jsPDF/releases/tag/v4.2.0",
    "id": "CVE-2026-25755",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-116"
    ],
    "cvelist": null,
    "sourceData": "parallax jsPDF < 4.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "jsPDF",
    "version": "< 4.2.0",
    "vendor": "parallax",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

jsPDF has PDF Object Injection via Unsanitized Input in addJS Method_CVE-2026-25755