XML Injection Vulnerability in jsPDF Library by Parallax
CVE-2026-24043

6.9MEDIUM

Key Information:

Vendor

Parallax

Status
JsPDF
Vendor
CVE Published:
2 February 2026

What is CVE-2026-24043?

The jsPDF library, utilized for generating PDF documents in JavaScript, is susceptible to an XML injection vulnerability. Prior to version 4.1.0, unchecked user input in the addMetadata function's first argument allows for the injection of arbitrary XMP metadata into PDFs. This flaw can compromise the integrity of the generated PDF, particularly if the document is subsequently signed or processed, risking unauthorized alterations. It is crucial for users to upgrade to jsPDF version 4.1.0 or later to mitigate this risk.

Affected Version(s)

jsPDF < 4.1.0

References

https://github.com/parallax/jsPDF/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e54...
x_refsource_MISC
https://github.com/parallax/jsPDF/releases/tag/v4.1.0
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.