Description
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.
Published: 2026-03-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary PDF Object Injection that can trigger JavaScript actions
Action: Apply Patch
AI Analysis

Impact

jsPDF is a JavaScript library used to generate PDF documents. A flaw in versions prior to 4.2.1 allows an attacker to supply an unsanitized value for the color argument in the createAnnotation method, which is then inserted directly into the PDF stream. By crafting special content, the attacker can inject arbitrary PDF objects, including JavaScript actions that execute when a viewer opens or interacts with the PDF, potentially enabling remote code execution within the viewer environment.

Affected Systems

The vulnerability affects the open‑source library jsPDF maintained by parallax. Any installation that uses a jsPDF version older than 4.2.1 is susceptible; the fix is available in the 4.2.1 release and later.

Risk and Exploitability

The CVSS base score is 8.1, indicating high severity. EPSS is below 1%, so the likelihood of widespread exploitation is low, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to create a malicious PDF or to supply crafted input to an application that uses jsPDF, which is then opened by a victim’s PDF reader. Once the PDF is accessed, the injected JavaScript actions may run with the privileges of the viewer, enabling code execution, data exfiltration, or other malicious behavior.

Generated by OpenCVE AI on March 20, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jsPDF to version 4.2.1 or later.
  • Sanitize any user‑supplied data passed to createAnnotation, especially the color parameter, before calling the API.
  • If an upgrade is not possible, restrict usage of createAnnotation to trusted inputs only and monitor for abnormal PDF behavior.
  • Keep an eye on the jsPDF community for future alerts or additional patches.

Generated by OpenCVE AI on March 20, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7x6v-j9x4-qf24 jsPDF has a PDF Object Injection via FreeText color
History

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Parall
Parall jspdf
Vendors & Products Parall
Parall jspdf

Wed, 18 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.
Title jsPDF has a PDF Object Injection via FreeText color
Weaknesses CWE-116
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Parall Jspdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T14:00:43.434Z

Reserved: 2026-03-09T21:59:02.689Z

Link: CVE-2026-31898

cve-icon Vulnrichment

Updated: 2026-03-18T14:00:40.248Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T04:17:21.050

Modified: 2026-03-20T18:08:04.133

Link: CVE-2026-31898

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T03:03:43Z

Links: CVE-2026-31898 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:27Z

Weaknesses