Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.
Published: 2026-02-19
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary JavaScript Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in the AcroForm module of the jsPDF library enables an attacker to inject arbitrary PDF objects, including JavaScript actions, through uncontrolled user‑supplied input. When a user loads the impacted PDF and hovers over a radio button, the embedded JavaScript executes, potentially allowing full code execution within the PDF viewer. This vulnerability is identified as CWE‑116, an input/output communication error that permits unauthorized code execution.

Affected Systems

The issue affects versions of jsPDF before 4.2.0, supplied by the vendor Parallax. Attacks arise when client code manipulates the RadioButton.createOption method or the AS property of AcroForm, properties that accept unsanitized input. The library runs in Node.js environments and is commonly used to programmatically generate PDFs.

Risk and Exploitability

The CVSS score of 8.1 signals a high severity condition, while the EPSS score of less than 1% suggests a low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user to open the malicious PDF in a renderer that honors embedded JavaScript and to hover over a radio button, so the attack vector is client‑side and needs user interaction to trigger the payload.

Generated by OpenCVE AI on April 17, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to jsPDF version 4.2.0 or later where the vulnerability is fixed.
  • If upgrading is not feasible, sanitize all user‑supplied input before it reaches the AcroForm API, especially properties used with RadioButton.createOption and the AS field.
  • Configure PDF viewer settings to disable or restrict JavaScript execution, or serve PDFs with a viewer that ignores embedded scripts.

Generated by OpenCVE AI on April 17, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p5xg-68wr-hm3m jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)
History

Mon, 23 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*

Fri, 20 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Parall
Parall jspdf
Vendors & Products Parall
Parall jspdf

Thu, 19 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.
Title jsPDF's PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)
Weaknesses CWE-116
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Parall Jspdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T17:35:47.498Z

Reserved: 2026-02-09T16:22:17.787Z

Link: CVE-2026-25940

cve-icon Vulnrichment

Updated: 2026-02-19T17:07:07.268Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T16:27:15.660

Modified: 2026-02-23T18:50:02.970

Link: CVE-2026-25940

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-19T15:26:57Z

Links: CVE-2026-25940 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:15:26Z

Weaknesses