CVE-2026-24043

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff	Patch
https://github.com/parallax/jsPDF/releases/tag/v4.1.0	Release Notes
https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422	Vendor Advisory Exploit Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*

History

18 Feb 2026, 14:43

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
Summary		(es) jsPDF es una biblioteca para generar PDFs en JavaScript. Anteriormente a la versión 4.1.0, el control del usuario sobre el primer argumento de la función addMetadata permite a los usuarios inyectar XML arbitrario. Si se le ofrece la posibilidad de pasar entrada no saneada al método addMetadata, un usuario puede inyectar metadatos XMP arbitrarios en el PDF generado. Si el PDF generado es firmado, almacenado o procesado de alguna otra manera posteriormente, la integridad del PDF ya no puede garantizarse. La vulnerabilidad ha sido corregida en jsPDF@4.1.0.
First Time		Parall Parall jspdf
References	~~() https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff -~~	() https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff - Patch
References	~~() https://github.com/parallax/jsPDF/releases/tag/v4.1.0 -~~	() https://github.com/parallax/jsPDF/releases/tag/v4.1.0 - Release Notes
References	~~() https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422 -~~	() https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422 - Vendor Advisory, Exploit, Mitigation
CPE		cpe:2.3:a:parall:jspdf::::::node.js::*

02 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-02 23:16

Updated : 2026-02-18 14:43

NVD link : CVE-2026-24043

Mitre link : CVE-2026-24043

CVE.ORG link : CVE-2026-24043

JSON object : View

Products Affected

parall

jspdf

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

5.4 /10