SB2026042736 - Multiple vulnerabilities in jspdf

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2026-31938)

The vulnerability allows a remote attacker to inject arbitrary HTML and execute script in the victim's browser context.

The vulnerability exists due to improper neutralization of input during web page generation in the output function when processing user-controlled output options for the "pdfobjectnewwindow", "pdfjsnewwindow", or "dataurlnewwindow" overloads. A remote attacker can supply specially crafted option values to inject arbitrary HTML and execute script in the victim's browser context.

User interaction is required because the victim must create and open the generated PDF in a browser.

2) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-31898)

The vulnerability allows a remote attacker to inject arbitrary PDF objects.

The vulnerability exists due to improper encoding or escaping of output in the createAnnotation method when processing the color parameter of a free text annotation. A remote attacker can supply crafted input to inject arbitrary PDF objects.

User interaction is required to open or interact with the generated PDF for injected actions to trigger.

Remediation

Install update from vendor's website.

References

• https://github.com/parallax/jsPDF/security/advisories/GHSA-wfv2-pwc8-crg5
• https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24