Code Injection in jspdf - CVE-2026-25755
Published: April 27, 2026
Vulnerability identifier: #VU127969
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-25755
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jelle_S
Affected software:
jspdf
jspdf
Detailed vulnerability description
The vulnerability allows a remote attacker to inject arbitrary PDF objects into the generated document.
The vulnerability exists due to improper control of code generation in the addJS method when processing user-supplied JavaScript input. A remote attacker can supply a crafted addJS argument to inject arbitrary PDF objects into the generated document.
User interaction is required to open the generated PDF, and injected additional actions may execute when the document is opened or receives focus.
How to mitigate CVE-2026-25755
Install security update from vendor's website.