CVE-2026-24040

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e	Patch
https://github.com/parallax/jsPDF/releases/tag/v4.1.0	Release Notes
https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4	Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*

History

18 Feb 2026, 14:42

Type	Values Removed	Values Added
First Time		Parall Parall jspdf
CPE		cpe:2.3:a:parall:jspdf::::::node.js::*
Summary		(es) jsPDF es una biblioteca para generar PDFs en JavaScript. Antes de la versión 4.1.0, el método addJS en la compilación de Node.js de jspdf utiliza una variable compartida con ámbito de módulo (text) para almacenar contenido JavaScript. Cuando se utiliza en un entorno concurrente (por ejemplo, un servidor web Node.js), esta variable se comparte entre todas las solicitudes. Si múltiples solicitudes generan PDFs simultáneamente, el contenido JavaScript destinado a un usuario puede ser sobrescrito por una solicitud subsiguiente antes de que se genere el documento. Esto resulta en una Fuga de Datos entre Usuarios (Cross-User Data Leakage), donde el PDF generado para el Usuario A contiene la carga útil de JavaScript (y cualquier dato sensible incrustado) destinada al Usuario B. Típicamente, esto solo afecta a entornos del lado del servidor, aunque las mismas condiciones de carrera podrían ocurrir si jsPDF se ejecuta del lado del cliente. La vulnerabilidad ha sido corregida en jsPDF@4.1.0.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.8
References	~~() https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e -~~	() https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e - Patch
References	~~() https://github.com/parallax/jsPDF/releases/tag/v4.1.0 -~~	() https://github.com/parallax/jsPDF/releases/tag/v4.1.0 - Release Notes
References	~~() https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4 -~~	() https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4 - Vendor Advisory, Exploit

02 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-02 23:16

Updated : 2026-02-18 14:42

NVD link : CVE-2026-24040

Mitre link : CVE-2026-24040

CVE.ORG link : CVE-2026-24040

JSON object : View

Products Affected

parall

jspdf

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

4.8 /10