{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24040", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-20T22:30:11.777Z", "datePublished": "2026-02-02T20:38:24.732Z", "dateUpdated": "2026-02-03T15:30:05.465Z"}, "containers": {"cna": {"title": "jsPDF has a Shared State Race Condition in addJS Plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4"}, {"name": "https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e", "tags": ["x_refsource_MISC"], "url": "https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e"}, {"name": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0"}], "affected": [{"vendor": "parallax", "product": "jsPDF", "versions": [{"version": "< 4.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T20:38:24.732Z"}, "descriptions": [{"lang": "en", "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0."}], "source": {"advisory": "GHSA-cjw8-79x6-5cj4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:29:49.991694Z", "id": "CVE-2026-24040", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:30:05.465Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24040", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T15:29:49.991694Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:29:57.853Z"}}], "cna": {"title": "jsPDF has a Shared State Race Condition in addJS Plugin", "source": {"advisory": "GHSA-cjw8-79x6-5cj4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "parallax", "product": "jsPDF", "versions": [{"status": "affected", "version": "< 4.1.0"}]}], "references": [{"url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4", "name": "https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e", "name": "https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0", "name": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T20:38:24.732Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24040", "state": "PUBLISHED", "dateUpdated": "2026-02-03T15:30:05.465Z", "dateReserved": "2026-01-20T22:30:11.777Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-02T20:38:24.732Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "46B1DFBD-B23A-484B-B9EC-39B983D89431", "versionEndExcluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0."}, {"lang": "es", "value": "jsPDF es una biblioteca para generar PDFs en JavaScript. Antes de la versi\u00f3n 4.1.0, el m\u00e9todo addJS en la compilaci\u00f3n de Node.js de jspdf utiliza una variable compartida con \u00e1mbito de m\u00f3dulo (text) para almacenar contenido JavaScript. Cuando se utiliza en un entorno concurrente (por ejemplo, un servidor web Node.js), esta variable se comparte entre todas las solicitudes. Si m\u00faltiples solicitudes generan PDFs simult\u00e1neamente, el contenido JavaScript destinado a un usuario puede ser sobrescrito por una solicitud subsiguiente antes de que se genere el documento. Esto resulta en una Fuga de Datos entre Usuarios (Cross-User Data Leakage), donde el PDF generado para el Usuario A contiene la carga \u00fatil de JavaScript (y cualquier dato sensible incrustado) destinada al Usuario B. T\u00edpicamente, esto solo afecta a entornos del lado del servidor, aunque las mismas condiciones de carrera podr\u00edan ocurrir si jsPDF se ejecuta del lado del cliente. La vulnerabilidad ha sido corregida en jsPDF@4.1.0."}], "id": "CVE-2026-24040", "lastModified": "2026-02-18T14:42:05.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-02T23:16:07.660", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "jsPDF: jsPDF: Cross-User Data Leakage via race condition in addJS method", "id": "2436133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436133"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-820", "details": ["jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0.", "A flaw was found in jsPDF. When jsPDF is used in a concurrent environment, such as a Node.js web server, a race condition in the addJS method can lead to cross-user data leakage. This occurs because a shared variable used to store JavaScript content can be overwritten by simultaneous requests. As a result, a PDF generated for one user may contain sensitive JavaScript content intended for another user, leading to unauthorized information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-24040", "package_state": [{"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-central-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-rhel8-operator", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-roxctl-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Not affected", "package_name": "advanced-cluster-security/rhacs-scanner-v4-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}], "public_date": "2026-02-02T20:38:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24040\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24040\nhttps://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e\nhttps://github.com/parallax/jsPDF/releases/tag/v4.1.0\nhttps://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4"], "statement": "This MODERATE impact vulnerability in jsPDF affects applications utilizing the `addJS` method in a concurrent server-side Node.js environment. A shared module-scoped variable can lead to cross-user data leakage when multiple PDF generation requests occur simultaneously, potentially embedding sensitive data from one user into another's PDF. This primarily impacts server-side deployments where jsPDF is used to generate documents concurrently.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T00:32:09.173137+00:00", "value": {"mitigation_remediation": ["Upgrade the jsPDF library to version\u202f4.1.0 or later, the official fix for the shared\u2011state race condition.", "If an upgrade cannot be performed immediately, disable or remove usage of the addJS plugin from the PDF generation flow so that no shared state is written.", "Restart or reload the Node.js application after disabling the plugin or upgrading, and verify that generated PDFs no longer contain unintended JavaScript content."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "This flaw affects the Parallax jsPDF package in all releases prior to version\u202f4.1.0. The vulnerability is relevant when the library is used in a Node.js environment, such as a web server that serves PDFs on demand. Client\u2011side use may also experience the race condition, though server\u2011side exposure is the main concern.", "description_and_impact": "jsPDF, a JavaScript PDF generation library, contains a race condition in its addJS method. The method uses a shared variable to store JavaScript content, so when multiple Node.js requests generate PDFs at the same time, one user's JavaScript payload can overwrite another's. The result is that a PDF delivered to User\u202fA may contain the JavaScript and sensitive data that were intended for User\u202fB, leading to cross\u2011user data leakage.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.3 and an EPSS score of less than 1\u202f%, indicating a moderate severity and low current exploitation probability. It is not listed in the CISA KEV catalog. An attacker who can induce concurrent PDF generation requests to a vulnerable server can cause the shared state to be overwritten, resulting in unintended exposure of JavaScript payloads and any data that the original user provided. The attack vector is inferred to be a concurrent request pattern rather than a remote code execution path. Because the data leakage only occurs when addJS is used, a deliberate or accidental use of the plugin can trigger the vulnerability."}}}}, "created": "2026-02-04T12:17:31.509154+00:00", "updated": "2026-04-18T00:45:32.230154+00:00", "vendors": ["parall", "parall$PRODUCT$jspdf"]}