Improper Neutralization of Special Elements in Output Used by a Downstream Component in jspdf - CVE-2026-24043
Published: April 27, 2026
Vulnerability identifier: #VU127964
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-24043
CWE-ID: CWE-74
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jelle_S
Affected software:
jspdf
jspdf
Detailed vulnerability description
The vulnerability allows a remote attacker to inject arbitrary XMP metadata into generated PDF documents.
The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in the addMetadata function when processing unsanitized user-supplied metadata input. A remote attacker can supply crafted XML content to inject arbitrary XMP metadata into generated PDF documents.
This can spoof document identity information and undermine the integrity of PDFs that are signed, stored, or otherwise processed afterward.
How to mitigate CVE-2026-24043
Install security update from vendor's website.