{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31898", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T21:59:02.689Z", "datePublished": "2026-03-18T03:03:43.469Z", "dateUpdated": "2026-03-18T14:00:43.434Z"}, "containers": {"cna": {"title": "jsPDF has a PDF Object Injection via FreeText color", "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24"}, {"name": "https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8", "tags": ["x_refsource_MISC"], "url": "https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8"}, {"name": "https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208", "tags": ["x_refsource_MISC"], "url": "https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208"}, {"name": "https://github.com/parallax/jsPDF/releases/tag/v4.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/parallax/jsPDF/releases/tag/v4.2.1"}], "affected": [{"vendor": "parallax", "product": "jsPDF", "versions": [{"version": "< 4.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T03:03:43.469Z"}, "descriptions": [{"lang": "en", "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members."}], "source": {"advisory": "GHSA-7x6v-j9x4-qf24", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T14:00:36.960715Z", "id": "CVE-2026-31898", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:00:43.434Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31898", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T14:00:36.960715Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T14:00:40.248Z"}}], "cna": {"title": "jsPDF has a PDF Object Injection via FreeText color", "source": {"advisory": "GHSA-7x6v-j9x4-qf24", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parallax", "product": "jsPDF", "versions": [{"status": "affected", "version": "< 4.2.1"}]}], "references": [{"url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24", "name": "https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8", "name": "https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208", "name": "https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/parallax/jsPDF/releases/tag/v4.2.1", "name": "https://github.com/parallax/jsPDF/releases/tag/v4.2.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T03:03:43.469Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31898", "state": "PUBLISHED", "dateUpdated": "2026-03-18T14:00:43.434Z", "dateReserved": "2026-03-09T21:59:02.689Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T03:03:43.469Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "E32C16E0-23FB-49ED-B364-2170D7FC9935", "versionEndExcluding": "4.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members."}, {"lang": "es", "value": "jsPDF es una biblioteca para generar PDFs en JavaScript. Anterior a la versi\u00f3n 4.2.1, el control del usuario sobre los argumentos del m\u00e9todo 'createAnnotation' permite a los usuarios inyectar objetos PDF arbitrarios, como acciones de JavaScript. Si se le da la posibilidad de pasar entrada no saneada al siguiente m\u00e9todo, un usuario puede inyectar objetos PDF arbitrarios, como acciones de JavaScript, que podr\u00edan activarse cuando el PDF se abre o se interact\u00faa con el 'createAnnotation': par\u00e1metro 'color'. La vulnerabilidad ha sido corregida en jsPDF@4.2.1. Como soluci\u00f3n alternativa, sanee la entrada del usuario antes de pasarla a los miembros vulnerables de la API."}], "id": "CVE-2026-31898", "lastModified": "2026-03-20T18:08:04.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-18T04:17:21.050", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/parallax/jsPDF/releases/tag/v4.2.1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "jspdf: jsPDF: Arbitrary code execution via unsanitized input in createAnnotation method", "id": "2448547", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448547"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-94", "details": ["A flaw was found in jsPDF, a JavaScript library used for generating PDF documents. This vulnerability allows a remote attacker to inject arbitrary PDF objects, including JavaScript actions, into a generated PDF. This can occur if unsanitized user input is provided to the `createAnnotation` method's `color` parameter. When a user opens or interacts with the specially crafted PDF, these injected actions may execute, potentially leading to arbitrary code execution or sensitive information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-31898", "package_state": [{"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Affected", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}], "public_date": "2026-03-18T03:03:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31898\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31898\nhttps://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208\nhttps://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8\nhttps://github.com/parallax/jsPDF/releases/tag/v4.2.1\nhttps://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.1)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "jsPDF", "source": "cna", "vendor": "parallax"}, "product": "jspdf", "vendor": "parall"}], "analysis": {"en": {"generated_at": "2026-03-20T19:25:03.421150+00:00", "value": {"mitigation_remediation": ["Upgrade jsPDF to version 4.2.1 or later.", "Sanitize any user\u2011supplied data passed to createAnnotation, especially the color parameter, before calling the API.", "If an upgrade is not possible, restrict usage of createAnnotation to trusted inputs only and monitor for abnormal PDF behavior.", "Keep an eye on the jsPDF community for future alerts or additional patches."], "summary": {"action": "Apply Patch", "impact": "Arbitrary PDF Object Injection that can trigger JavaScript actions"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open\u2011source library jsPDF maintained by parallax. Any installation that uses a jsPDF version older than 4.2.1 is susceptible; the fix is available in the 4.2.1 release and later.", "description_and_impact": "jsPDF is a JavaScript library used to generate PDF documents. A flaw in versions prior to 4.2.1 allows an attacker to supply an unsanitized value for the color argument in the createAnnotation method, which is then inserted directly into the PDF stream. By crafting special content, the attacker can inject arbitrary PDF objects, including JavaScript actions that execute when a viewer opens or interacts with the PDF, potentially enabling remote code execution within the viewer environment.", "risk_and_exploitability": "The CVSS base score is 8.1, indicating high severity. EPSS is below 1%, so the likelihood of widespread exploitation is low, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an attacker to create a malicious PDF or to supply crafted input to an application that uses jsPDF, which is then opened by a victim\u2019s PDF reader. Once the PDF is accessed, the injected JavaScript actions may run with the privileges of the viewer, enabling code execution, data exfiltration, or other malicious behavior."}}}}, "created": "2026-03-18T10:41:57.680963+00:00", "updated": "2026-03-24T10:59:27.128328+00:00", "vendors": ["parall", "parall$PRODUCT$jspdf"]}