CVE-2026-24737

8.1 HIGH

Cross-Site Scripting

📋 TL;DR

This vulnerability in jsPDF allows attackers to inject arbitrary PDF objects, including JavaScript actions, through user-controlled input to specific Acroform module methods and properties. When a victim opens a malicious PDF document, the injected JavaScript executes in their PDF viewer context. This affects any application using jsPDF versions before 4.1.0 that allows user input to reach the vulnerable API members.

💻 Affected Systems

Products:

• jsPDF

Versions: All versions before 4.1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the Acroform module methods/properties with user-controlled input.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of victim's system through arbitrary code execution when opening a malicious PDF, potentially leading to data theft, ransomware deployment, or system takeover.

🟠

Likely Case

Cross-site scripting (XSS) attacks, session hijacking, credential theft, or malicious redirects when PDFs are opened in web applications.

🟢

If Mitigated

Limited impact with proper input validation and sanitization, potentially reduced to denial of service or minor data leakage.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (opening PDF) but is straightforward once malicious input reaches vulnerable methods.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.0

Vendor Advisory: https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328

Restart Required: No

Instructions:

1. Update jsPDF dependency to version 4.1.0 or later. 2. For npm: 'npm update jspdf'. 3. For yarn: 'yarn upgrade jspdf'. 4. Verify package.json shows 'jspdf': '^4.1.0'.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for all user inputs passed to AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState methods.

Disable Acroform Module

all

If Acroform functionality is not required, disable or avoid using the vulnerable Acroform module methods entirely.

🧯 If You Can't Patch

• Implement strict input validation and sanitization for all user inputs passed to vulnerable Acroform methods.
• Use Content Security Policy (CSP) headers to restrict script execution in PDF contexts.

🔍 How to Verify

Check if Vulnerable:

Copy

Check package.json or package-lock.json for jsPDF version. If version is below 4.1.0 and application uses Acroform module with user input, it's vulnerable.

Check Version:

Copy

npm list jspdf | grep jspdf

Verify Fix Applied:

Copy

Verify jsPDF version is 4.1.0 or higher in package.json and test that user input to Acroform methods no longer allows JavaScript injection.

📡 Detection & Monitoring

Log Indicators:

• Unusual PDF generation patterns, unexpected JavaScript in PDF metadata, errors from PDF parsing libraries

Network Indicators:

• Unexpected PDF downloads containing JavaScript objects, suspicious file uploads to PDF generation endpoints

SIEM Query:

Copy

source="web_server" AND (uri="*.pdf" OR method="POST" AND uri="/generate-pdf") AND (user_agent="*malicious*" OR referer="*suspicious*")

📊 Metadata

CVE ID: CVE-2026-24737

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-116

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

• https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79
• https://github.com/parallax/jsPDF/releases/tag/v4.1.0
• https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328

📤 Share This

Twitter LinkedIn Reddit Copy Link