CVE-2026-31898
HIGH8.1EPSS 0.05%jsPDF has a PDF Object Injection via FreeText color
Description
### Impact User control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with.. * `createAnnotation`: `color` parameter Example attack vector: ```js import { jsPDF } from 'jspdf' const doc = new jsPDF(); const payload = '000000) /AA <</E <</S /Launch /F (calc.exe)>>>> ('; doc.createAnnotation({ type: 'freetext', bounds: { x: 10, y: 10, w: 120, h: 20 }, contents: 'hello', color: payload }); doc.save('test.pdf'); ``` ### Patches The vulnerability has been fixed in [email protected]. ### Workarounds Sanitize user input before passing it to the vulnerable API members.
Affected packages (1)
- npm/jspdffrom 0, < 4.2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-31898
- PATCHhttps://github.com/parallax/jsPDF
- WEBhttps://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208
- WEBhttps://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8
- WEBhttps://github.com/parallax/jsPDF/releases/tag/v4.2.1
- WEBhttps://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24