Cross-User Data Leakage in jsPDF Library by Parallax
CVE-2026-24040
6.3MEDIUM
What is CVE-2026-24040?
The jsPDF library, used for PDF generation in JavaScript, has a vulnerability that arises from utilizing a shared module-scoped variable (text) for storing JavaScript content in its Node.js build. This issue is particularly critical in concurrent server-side environments, where simultaneous requests can lead to one user's content being inadvertently shared with another. As a result, a PDF generated for User A may unintentionally include JavaScript payloads or sensitive data meant for User B. This could lead to significant security risks if unaddressed. The issue has been resolved in version 4.1.0 of the jsPDF library.
Affected Version(s)
jsPDF < 4.1.0