Injection Flaw in jsPDF Library for PDF Generation
CVE-2026-24737

8.1HIGH

Key Information:

Vendor

Parallax

Status
JsPDF
Vendor
CVE Published:
2 February 2026

What is CVE-2026-24737?

The jsPDF library, utilized for generating PDFs in JavaScript, is susceptible to an injection flaw that permits users to manipulate properties and methods within the Acroform module. This vulnerability allows for the injection of arbitrary PDF objects, including potentially malicious JavaScript actions, which execute upon opening the document by an unsuspecting user. Specific API members, such as AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState, are particularly vulnerable when handling unsanitized input. The issue has been addressed in jsPDF version 4.1.0, and users are strongly encouraged to upgrade to this version to mitigate the risk.

Affected Version(s)

jsPDF < 4.1.0

References

https://github.com/parallax/jsPDF/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/parallax/jsPDF/commit/da291a5f01b96282...
x_refsource_MISC
https://github.com/parallax/jsPDF/releases/tag/v4.1.0
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.