Main Vulnerability Database Vulnerabilities #VU127970

Cross-site scripting in jspdf - CVE-2026-31938

Published: April 27, 2026

Vulnerability identifier: #VU127970

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-31938

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jelle_S

Affected software:
jspdf

Detailed vulnerability description

The vulnerability allows a remote attacker to inject arbitrary HTML and execute script in the victim's browser context.

The vulnerability exists due to improper neutralization of input during web page generation in the output function when processing user-controlled output options for the "pdfobjectnewwindow", "pdfjsnewwindow", or "dataurlnewwindow" overloads. A remote attacker can supply specially crafted option values to inject arbitrary HTML and execute script in the victim's browser context.

User interaction is required because the victim must create and open the generated PDF in a browser.

How to mitigate CVE-2026-31938

Install security update from vendor's website.

Sources

https://github.com/parallax/jsPDF/security/advisories/GHSA-wfv2-pwc8-crg5

Cross-site scripting in jspdf - CVE-2026-31938

Detailed vulnerability description

How to mitigate CVE-2026-31938

Sources

Please verify you're human