{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22787", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T18:27:19.388Z", "datePublished": "2026-01-14T16:52:38.372Z", "dateUpdated": "2026-01-20T18:37:09.279Z"}, "containers": {"cna": {"title": "html2pdf.js has a cross-site scripting vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc"}, {"name": "https://github.com/eKoopmans/html2pdf.js/issues/865", "tags": ["x_refsource_MISC"], "url": "https://github.com/eKoopmans/html2pdf.js/issues/865"}, {"name": "https://github.com/eKoopmans/html2pdf.js/pull/877", "tags": ["x_refsource_MISC"], "url": "https://github.com/eKoopmans/html2pdf.js/pull/877"}, {"name": "https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b", "tags": ["x_refsource_MISC"], "url": "https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b"}, {"name": "https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0"}], "affected": [{"vendor": "eKoopmans", "product": "html2pdf.js", "versions": [{"version": "< 0.14.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-14T16:52:38.372Z"}, "descriptions": [{"lang": "en", "value": "html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0."}], "source": {"advisory": "GHSA-w8x4-x68c-m6fc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-14T21:02:44.599277Z", "id": "CVE-2026-22787", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T21:02:52.822Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-20T18:37:09.279Z"}, "references": [{"url": "https://aydinnyunus.github.io/2026/01/17/cve-2026-22787-html2pdf-xss-vulnerability/"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://aydinnyunus.github.io/2026/01/17/cve-2026-22787-html2pdf-xss-vulnerability/"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-01-20T18:37:09.279Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22787", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-14T21:02:44.599277Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-14T21:02:49.627Z"}}], "cna": {"title": "html2pdf.js has a cross-site scripting vulnerability", "source": {"advisory": "GHSA-w8x4-x68c-m6fc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "eKoopmans", "product": "html2pdf.js", "versions": [{"status": "affected", "version": "< 0.14.0"}]}], "references": [{"url": "https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc", "name": "https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/eKoopmans/html2pdf.js/issues/865", "name": "https://github.com/eKoopmans/html2pdf.js/issues/865", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/eKoopmans/html2pdf.js/pull/877", "name": "https://github.com/eKoopmans/html2pdf.js/pull/877", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b", "name": "https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0", "name": "https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-14T16:52:38.372Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22787", "state": "PUBLISHED", "dateUpdated": "2026-01-20T18:37:09.279Z", "dateReserved": "2026-01-09T18:27:19.388Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-14T16:52:38.372Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ekoopmans:html2pdf.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C8E68496-D208-41FC-9032-437EE15C8395", "versionEndExcluding": "0.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0."}], "id": "CVE-2026-22787", "lastModified": "2026-03-12T18:15:22.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-14T17:16:09.290", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/eKoopmans/html2pdf.js/issues/865"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/eKoopmans/html2pdf.js/pull/877"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://aydinnyunus.github.io/2026/01/17/cve-2026-22787-html2pdf-xss-vulnerability/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:20:01.714299+00:00", "value": {"mitigation_remediation": ["Upgrade the html2pdf.js library to version 0.14.0 or later, which removes the XSS vector", "If an upgrade is not immediately feasible, never pass untrusted text sources to the library; validate or sanitize all input before calling html2pdf.js", "Implement a Content Security Policy that disallows inline script execution to mitigate any residual injection risk"], "summary": {"action": "Upgrade", "impact": "Cross\u2011Site Scripting via unsanitized text input in html2pdf.js"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the eKoopmans html2pdf.js library on any Node.js environment that uses the library before version 0.14.0. Users who incorporate the old code into web pages or web applications are at risk.", "description_and_impact": "html2pdf.js is a client\u2011side library that converts web content into PDF documents. Versions prior to 0.14.0 embed supplied text directly into the DOM without proper sanitization. This flaw allows an attacker to inject malicious scripts that execute in the user\u2019s browser, potentially exposing or altering sensitive data and disrupting page functionality.", "risk_and_exploitability": "The flaw scores 8.7 on the CVSS scale, indicating high severity, and the EPSS probability is low (<1%). It is not listed in the CISA KEV catalog. Exploitation requires delivery of malicious text to the application, which is then processed by html2pdf.js when a user initiates a PDF conversion. Because the attack occurs entirely on the client side, it can occur without additional network interaction once the code is loaded into the browser."}}}}, "created": "2026-01-15T08:03:30.457207+00:00", "updated": "2026-04-18T06:30:25.903119+00:00", "vendors": ["ekoopmans", "ekoopmans$PRODUCT$html2pdf.js"]}