Main Vulnerability Database Vulnerabilities #VU127971

Improper Encoding or Escaping of Output in jspdf - CVE-2026-31898

Published: April 27, 2026

Vulnerability identifier: #VU127971

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-31898

CWE-ID: CWE-116

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jelle_S

Affected software:
jspdf

Detailed vulnerability description

The vulnerability allows a remote attacker to inject arbitrary PDF objects.

The vulnerability exists due to improper encoding or escaping of output in the createAnnotation method when processing the color parameter of a free text annotation. A remote attacker can supply crafted input to inject arbitrary PDF objects.

User interaction is required to open or interact with the generated PDF for injected actions to trigger.

How to mitigate CVE-2026-31898

Install security update from vendor's website.

Sources

https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24

Improper Encoding or Escaping of Output in jspdf - CVE-2026-31898

Detailed vulnerability description

How to mitigate CVE-2026-31898

Sources

Please verify you're human