CVE-2026-25630
survey-pdf Upgraded jsPDF Version Due to Security Vulnerability
Description
The following security vulnerability was identified in jsPDF versions <=3.0.4: [Local File Inclusion/Path Traversal](https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2). ### Impact Since SurveyJS PDF Generator depends on jsPDF, any project using `survey-pdf` v1.12.58 and lower or v2.5.4 and lower could be exposed to this vulnerability. ### Solution SurveyJS PDF Generator has upgraded jsPDF to version >= 4.0.0 and included the fix in the following `survey-pdf` releases: * [v1.12.59](https://www.npmjs.com/package/survey-pdf/v/1.12.59) * [v2.5.5](https://www.npmjs.com/package/survey-pdf/v/2.5.5) ### Action Users should upgrade `survey-pdf` in their projects to v1.12.59+ or v2.5.5+ immediately. ### Notes No other `survey-pdf` dependencies are affected. This update is fully backward-compatible with previous `survey-pdf` releases.
How to fix CVE-2026-25630
To remediate CVE-2026-25630, upgrade the affected package to a fixed version below.
- —upgrade to 1.12.59 or later
Is CVE-2026-25630 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-25630.
Affected packages (1)
- from 0, < 1.12.59
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |