Main Vulnerability Database Vulnerabilities #VU127963

Improper Encoding or Escaping of Output in jspdf - CVE-2026-24737

Published: April 27, 2026

Vulnerability identifier: #VU127963

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-24737

CWE-ID: CWE-116

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jelle_S

Affected software:
jspdf

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary JavaScript.

The vulnerability exists due to improper encoding or escaping of output in the AcroForm module when processing unsanitized input passed to affected AcroForm methods or properties. A remote attacker can supply crafted input to inject arbitrary PDF objects and execute arbitrary JavaScript.

User interaction is required to open the crafted PDF document.

How to mitigate CVE-2026-24737

Install security update from vendor's website.

Sources

https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328

Improper Encoding or Escaping of Output in jspdf - CVE-2026-24737

Detailed vulnerability description

How to mitigate CVE-2026-24737

Sources

Please verify you're human