Description
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) to the attack victim. The victim creates and opens a PDF with the attack vector using one of the vulnerable method overloads inside their browser. The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context. The vulnerability has been fixed in jspdf@4.2.1. As a workaround, sanitize user input before passing it to the output method.
Published: 2026-03-18
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Client-side XSS / Script Execution
Action: Immediate Patch
AI Analysis

Impact

jsPDF is a JavaScript library used to generate PDFs. Prior to version 4.2.1, a user-controlled options argument to the output function allows arbitrary HTML, including executable scripts, to be injected into a PDF that opens in a browser. The injected scripts run in the victim’s browser context, enabling extraction or modification of secrets and other malicious actions (CWE‑79).

Affected Systems

All installations of the parallax:jsPDF library older than version 4.2.1 are affected. The vulnerability exists in any instance where the vendor’s output function receives unsanitized user input before creating the PDF.

Risk and Exploitability

The CVSS score is 9.6 indicating critical impact. EPSS is below 1 %, and the flaw is not listed in the KEV catalog, suggesting low current exploitation prevalence. An attacker can supply malicious options via a web interface or other input channel; the victim then opens the resulting PDF in their browser, automatically triggering the injected scripts. Exploitation requires the victim to view the PDF, and no remote code execution on the server side is provided by the flaw. Potential damage includes script execution, data theft, or privilege escalation within the victim’s browser session.

Generated by OpenCVE AI on March 18, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading jsPDF to version 4.2.1 or later.
  • Sanitize or validate all user-supplied values for the output options before calling the output method as a temporary workaround.
  • Verify that no other areas of the application invoke the vulnerable function with unsanitized input.

Generated by OpenCVE AI on March 18, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wfv2-pwc8-crg5 jsPDF has HTML Injection in New Window paths
History

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Parall
Parall jspdf
Vendors & Products Parall
Parall jspdf

Wed, 18 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) to the attack victim. The victim creates and opens a PDF with the attack vector using one of the vulnerable method overloads inside their browser. The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context. The vulnerability has been fixed in jspdf@4.2.1. As a workaround, sanitize user input before passing it to the output method.
Title jsPDF has HTML Injection in New Window paths
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

Parall Jspdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T13:59:51.966Z

Reserved: 2026-03-10T15:10:10.655Z

Link: CVE-2026-31938

cve-icon Vulnrichment

Updated: 2026-03-18T13:59:43.410Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T04:17:23.507

Modified: 2026-03-18T18:02:15.640

Link: CVE-2026-31938

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-18T03:05:44Z

Links: CVE-2026-31938 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:26Z

Weaknesses