HTML Injection Vulnerability in jsPDF Library by Parallax
CVE-2026-31938
What is CVE-2026-31938?
CVE-2026-31938 is a vulnerability found in the jsPDF library, a widely used open-source tool designed for generating PDF documents in JavaScript applications. The vulnerability arises from improper handling of the options argument in the output function, which allows attackers to inject arbitrary HTML content into the PDF generation process. Prior to the release of version 4.2.1, this flaw permitted contaminated input to be delivered unsanitized to end users. Once a victim opens a crafted PDF file in their browser, the injected scripts can execute in the victim's browser context, potentially allowing attackers to access or manipulate sensitive information stored in the browser, such as cookies or session tokens. The negative impact of this vulnerability can undermine user trust, compromise data integrity, and expose organizations to significant security threats.
Potential impact of CVE-2026-31938
-
Data Breach Risk: Exploitation enables attackers to extract sensitive information from the victim's browser, which can lead to serious data breaches, including the theft of personal or financial information and credentials.
-
User Trust Erosion: The presence of such vulnerabilities can diminish user confidence in the affected applications or services, as users may become wary of interacting with products that could potentially compromise their data.
-
Increased Attack Surface: By allowing arbitrary code execution in the client-side context, this vulnerability opens up additional pathways for further attacks, including the potential distribution of malware and subsequent exploitation of the victim's system.
Affected Version(s)
jsPDF < 4.2.1