Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.
Published: 2026-02-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Integrity Violation via Metadata Injection
Action: Patch Upgrade
AI Analysis

Impact

The vulnerability allows attackers who provide arbitrary input to the addMetadata function of jsPDF to inject any XMP metadata into the generated PDF. If the PDF is subsequently signed, stored, or processed, this injected metadata can alter document contents or embed malicious information, undermining the confidentiality, integrity, or authenticity guarantees of signed PDFs. The weakness is an injection of unfiltered XML (CWE‑74) combined with an improper handling of manifest information (CWE‑91).

Affected Systems

The flaw exists in the Parallax jsPDF library versions preceding 4.1.0. It applies to any deployment that exposes the addMetadata method to user data, including browser-based and Node.js environments that build PDFs with this library.

Risk and Exploitability

The CVSS score of 6.9 indicates a high severity for integrity impact. The EPSS score is below 1%, suggesting a low probability of exploitation at the time of analysis, and it is not listed in CISA’s KEV catalog. Attackers can potentially exploit the flaw by supplying crafted XMP data via the addMetadata function, which may be invoked in web applications or other software that generates PDFs dynamically. The attack vector is inferred to be through user-controlled input into the library’s metadata function rather than direct code execution.

Generated by OpenCVE AI on April 18, 2026 at 00:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jsPDF to version 4.1.0 or later, which removes the unsafe addMetadata behavior.
  • If an upgrade is not immediately possible, modify the application to disallow user-supplied data to be passed directly to addMetadata or implement strict XML validation before insertion.
  • After remediation, re-sign any PDFs that were generated before the update to ensure the signatures reflect the corrected metadata and re‑verify signature integrity.

Generated by OpenCVE AI on April 18, 2026 at 00:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vm32-vv63-w422 jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)
History

Wed, 18 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Parall
Parall jspdf
Vendors & Products Parall
Parall jspdf

Wed, 04 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-91
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

threat_severity

Moderate

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.
Title jsPDF Affected by Stored XMP Metadata Injection (Spoofing & Integrity Violation)
Weaknesses CWE-74
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Parall Jspdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T15:27:51.282Z

Reserved: 2026-01-20T22:30:11.777Z

Link: CVE-2026-24043

cve-icon Vulnrichment

Updated: 2026-02-03T15:27:45.447Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:07.813

Modified: 2026-02-18T14:43:08.730

Link: CVE-2026-24043

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-02T20:34:50Z

Links: CVE-2026-24043 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses