Main Vulnerability Database SB2026010584

SB2026010584 - Path traversal in jsPDF

Published: January 5, 2026 Updated: January 16, 2026

Security Bulletin ID SB2026010584

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Path traversal (CVE-ID: CVE-2025-68428)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences passed via the first argument of the loadFile, addImage, html, and addFont methods in the node.js build in dist/jspdf.node.js and dist/jspdf.node.min.js files. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Remediation

Install update from vendor's website.

References

https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2