Description
html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0.
Published: 2026-01-14
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via unsanitized text input in html2pdf.js
Action: Upgrade
AI Analysis

Impact

html2pdf.js is a client‑side library that converts web content into PDF documents. Versions prior to 0.14.0 embed supplied text directly into the DOM without proper sanitization. This flaw allows an attacker to inject malicious scripts that execute in the user’s browser, potentially exposing or altering sensitive data and disrupting page functionality.

Affected Systems

The vulnerability affects the eKoopmans html2pdf.js library on any Node.js environment that uses the library before version 0.14.0. Users who incorporate the old code into web pages or web applications are at risk.

Risk and Exploitability

The flaw scores 8.7 on the CVSS scale, indicating high severity, and the EPSS probability is low (<1%). It is not listed in the CISA KEV catalog. Exploitation requires delivery of malicious text to the application, which is then processed by html2pdf.js when a user initiates a PDF conversion. Because the attack occurs entirely on the client side, it can occur without additional network interaction once the code is loaded into the browser.

Generated by OpenCVE AI on April 18, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the html2pdf.js library to version 0.14.0 or later, which removes the XSS vector
  • If an upgrade is not immediately feasible, never pass untrusted text sources to the library; validate or sanitize all input before calling html2pdf.js
  • Implement a Content Security Policy that disallows inline script execution to mitigate any residual injection risk

Generated by OpenCVE AI on April 18, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w8x4-x68c-m6fc html2pdf.js contains a cross-site scripting vulnerability
History

Thu, 12 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ekoopmans:html2pdf.js:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 20 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Ekoopmans
Ekoopmans html2pdf.js
Vendors & Products Ekoopmans
Ekoopmans html2pdf.js

Wed, 14 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0.
Title html2pdf.js has a cross-site scripting vulnerability
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Ekoopmans Html2pdf.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T18:37:09.279Z

Reserved: 2026-01-09T18:27:19.388Z

Link: CVE-2026-22787

cve-icon Vulnrichment

Updated: 2026-01-20T18:37:09.279Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T17:16:09.290

Modified: 2026-03-12T18:15:22.800

Link: CVE-2026-22787

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:30:25Z

Weaknesses