{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25755", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T18:35:52.357Z", "datePublished": "2026-02-19T14:41:46.941Z", "dateUpdated": "2026-02-19T17:36:10.677Z"}, "containers": {"cna": {"title": "jsPDF has PDF Object Injection via Unsanitized Input in addJS Method", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp"}, {"name": "https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437", "tags": ["x_refsource_MISC"], "url": "https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437"}, {"name": "https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md", "tags": ["x_refsource_MISC"], "url": "https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md"}, {"name": "https://github.com/parallax/jsPDF/releases/tag/v4.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/parallax/jsPDF/releases/tag/v4.2.0"}], "affected": [{"vendor": "parallax", "product": "jsPDF", "versions": [{"version": "< 4.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T15:26:05.745Z"}, "descriptions": [{"lang": "en", "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method."}], "source": {"advisory": "GHSA-9vjf-qc39-jprp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T17:07:08.992065Z", "id": "CVE-2026-25755", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:36:10.677Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25755", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T17:07:08.992065Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T17:07:10.704Z"}}], "cna": {"title": "jsPDF has PDF Object Injection via Unsanitized Input in addJS Method", "source": {"advisory": "GHSA-9vjf-qc39-jprp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parallax", "product": "jsPDF", "versions": [{"status": "affected", "version": "< 4.2.0"}]}], "references": [{"url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp", "name": "https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437", "name": "https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md", "name": "https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parallax/jsPDF/releases/tag/v4.2.0", "name": "https://github.com/parallax/jsPDF/releases/tag/v4.2.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T15:26:05.745Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25755", "state": "PUBLISHED", "dateUpdated": "2026-02-19T17:36:10.677Z", "dateReserved": "2026-02-05T18:35:52.357Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T14:41:46.941Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7EACE56E-B77C-421B-AAFE-F5FD3C80FE94", "versionEndExcluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method."}], "id": "CVE-2026-25755", "lastModified": "2026-02-23T18:52:20.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-19T15:16:12.303", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/parallax/jsPDF/releases/tag/v4.2.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "jsPDF: PDF object injection via unsanitized input in addJS method", "id": "2440993", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440993"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-94", "details": ["A flaw was found in jsPDF. The addJS method accepts user input without proper sanitization, allowing an attacker to inject arbitrary PDF objects into the document. A specially crafted payload that escapes the JavaScript string delimiter can execute malicious actions or alter the document structure, resulting in arbitrary code execution when a user opens a PDF with a viewer that supports embedded scripts."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, sanitize the user-provided JavaScript code before passing it to the addJS method by strictly escaping backslashes and parentheses."}, "name": "CVE-2026-25755", "package_state": [{"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}], "public_date": "2026-02-19T14:41:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-25755\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-25755\nhttps://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md\nhttps://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437\nhttps://github.com/parallax/jsPDF/releases/tag/v4.2.0\nhttps://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp"], "statement": "To exploit this flaw, an attacker must be able to supply a specially crafted payload to the application using the addJS method and convince a user to open the generated PDF document with a viewer that supports embedded scripts. Due to these reasons, this vulnerability has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.0)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "jsPDF", "source": "cna", "vendor": "parallax"}, "product": "jspdf", "vendor": "parall"}], "analysis": {"en": {"generated_at": "2026-04-17T18:06:18.234992+00:00", "value": {"mitigation_remediation": ["Upgrade jsPDF to version 4.2.0 or newer immediately.", "If an upgrade cannot be performed, escape parentheses in all user\u2011provided JavaScript code before passing it to the addJS method as a temporary workaround.", "Audit all usage of addJS in your codebase, restrict the input to trusted sources, or disable the method for untrusted content."], "summary": {"action": "Apply patch", "impact": "Remote code execution via injected PDF objects"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Parallax jsPDF library in all releases older than 4.2.0. Any application that incorporates jsPDF before that version and calls addJS with external input is potentially exposed. The issue is fixed in jsPDF 4.2.0 and later releases.", "description_and_impact": "jsPDF is a JavaScript library that generates PDFs. In versions prior to 4.2.0 the addJS method accepts a user\u2011supplied argument without sanitization, allowing an attacker to inject arbitrary PDF objects by escaping the JavaScript string delimiter. The injected objects can contain malicious code or alter the document structure, so anyone who opens the resulting PDF may trigger code execution or compromise the integrity of the document.", "risk_and_exploitability": "With a CVSS score of 8.1, the risk is considered high, but the EPSS score of less than 1\u202f% indicates a very low probability of current exploitation. It is not listed in the CISA KEV catalog. The attack vector is likely through user\u2011generated data supplied to addJS; the attacker must craft a payload that escapes the JavaScript string. Successful exploitation would allow execution of arbitrary PDF objects, potentially leading to code execution or document tampering when a victim opens the file."}}}}, "created": "2026-02-20T10:06:41.897420+00:00", "updated": "2026-04-17T18:15:26.771683+00:00", "vendors": ["parall", "parall$PRODUCT$jspdf"]}