CVE-2026-24043

MEDIUM SEVERITY

Vulnerability Description

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.

Vulnerability Details

Published Date

February 02, 2026

Last Modified

February 03, 2026

CWE ID

CWE-74

Source

GitHub

Vendor

npm

Product

jspdf

External References

https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422
https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff
https://github.com/advisories/GHSA-vm32-vv63-w422

CVE-2026-24043

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment