CVE-2026-22787

描述

### Impact html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. Example attack vector: ```js import html2pdf from 'html2pdf.js/src/index.js'; const maliciousHTML = '<img src=x onerror="alert(document.cookie)">'; html2pdf(maliciousHTML); // or html2pdf().from(maliciousHTML); ``` ### Patches This vulnerability has been fixed in [email protected] to sanitize text sources using DOMPurify. There are no other breaking changes in this version. ### Workarounds Users of earlier versions of html2pdf.js must safely sanitize any text before using it as a source in html2pdf.js. ### References - Initial report: https://github.com/eKoopmans/html2pdf.js/issues/865 - Fix: https://github.com/eKoopmans/html2pdf.js/pull/877, [v0.14.0](https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0) - CVE-2026-22787: https://nvd.nist.gov/vuln/detail/CVE-2026-22787

如何修補 CVE-2026-22787

要修補 CVE-2026-22787,請將受影響套件升級到下列已修補版本。

• —升級至 0.14.0 或更新版本

CVE-2026-22787 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 0.14.0

CVSS 分數

參考連結(8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-22787
• PATCHgithub.com/eKoopmans/html2pdf.js
• WEBaydinnyunus.github.io/2026/01/17/cve-2026-22787-html2pdf-xss-vulnerability
• WEBgithub.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b