Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0.
Published: 2026-02-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary JavaScript Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the Acroform module of jsPDF, a JavaScript library used for PDF generation. Unsanitized input to methods such as AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, or AcroFormRadioButton.appearanceState can inject arbitrary PDF objects, notably JavaScript actions. When a victim opens the resulting PDF, the embedded JavaScript is executed within the PDF viewer, enabling unauthorized code execution. This flaw is linked to input handling weaknesses (CWE‑116) and complex object injection (CWE‑917).

Affected Systems

Any application that incorporates jsPDF prior to version 4.1.0 is susceptible. The affected codebases typically include web or Node.js projects that use the Acroform API for form fields. The weakness applies to all supported jsPDF releases below 4.1.0; the fix is delivered in jsPDF 4.1.0 and later. Projects that rely on older jsPDF or that expose these methods to user input should be considered at risk.

Risk and Exploitability

The CVSS base score of 8.1 categorizes the flaw as high severity. The EPSS score of less than 1% suggests that exploitation is unlikely at present, and the vulnerability is not documented in the CISA KEV catalog. An attacker would need the ability to supply unsanitized data to the vulnerable Acroform functions, which could be achieved by a compromised or malicious application generating PDFs, or, in the worst case, by embedding malicious data into a legitimate PDF. When the victim opens the PDF in a viewer that executes embedded scripts, arbitrary JavaScript runs with the viewer's privileges, offering potential for data exfiltration, credential theft, or further exploitation.

Generated by OpenCVE AI on April 18, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jsPDF to version 4.1.0 or later.
  • If an upgrade is not immediately possible, remove or disable all Acroform API calls that accept user input such as AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState.
  • Where the application cannot avoid these calls, validate or sanitize all data passed to them, or restrict them to a predetermined whitelist of options.

Generated by OpenCVE AI on April 18, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pqxr-3g65-p328 jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution
History

Wed, 18 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Parall
Parall jspdf
Vendors & Products Parall
Parall jspdf

Wed, 04 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-917
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 03 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0.
Title jsPDF has a PDF Injection in AcroFormChoiceField which allows Arbitrary JavaScript Execution
Weaknesses CWE-116
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Parall Jspdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T15:07:51.844Z

Reserved: 2026-01-26T19:06:16.059Z

Link: CVE-2026-24737

cve-icon Vulnrichment

Updated: 2026-02-03T15:07:47.878Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:08.443

Modified: 2026-02-18T15:02:20.597

Link: CVE-2026-24737

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-02T20:29:05Z

Links: CVE-2026-24737 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses