Security Advisory

CVE-2026-31898

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-18 03:03:43
Last updated 2026-06-30 12:07:46
Assigner GitHub_M
State PUBLISHED

Description

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.