Injection Vulnerability in jsPDF Library by Parallax
CVE-2026-31898

8.1HIGH

Key Information:

Vendor

Parallax

Status
JsPDF
Vendor
CVE Published:
18 March 2026

What is CVE-2026-31898?

The jsPDF library, used for generating PDF documents in JavaScript, has a vulnerability that allows users to inject arbitrary PDF objects through the unsanitized input of the createAnnotation method. This issue arises before version 4.2.1, where an attacker could exploit the color parameter in the method, potentially leading to JavaScript actions being executed upon opening or interacting with the PDF. Users are advised to sanitize their input to mitigate this risk, and they should upgrade to version 4.2.1 or later to ensure their systems are secure.

Affected Version(s)

jsPDF < 4.2.1

References

https://github.com/parallax/jsPDF/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/parallax/jsPDF/commit/4155c4819d5eca28...
x_refsource_MISC
https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.