VDB
CVE-2026-24043
CVE-2026-24043
PUBLISHED
CVSS 6.900000095367432 MEDIUM
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.
EPSS 0.02% · 3.6th percentile
Risk Scores
CVSS v4.0
6.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
EPSS Score
0.02%
3.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| parallax | jsPDF | < 4.1.0, < 4.1.0 |
| parall | jspdf | 0, 0 |
| npm | jspdf | 0, 0 |
Timeline
- Feb 2, 2026 CVE Published
- Feb 3, 2026 CVE Updated
- Feb 3, 2026 EPSS Score
- Feb 5, 2026 EPSS Score
- Feb 7, 2026 EPSS Score
- Feb 10, 2026 EPSS Score
- Feb 12, 2026 EPSS Score
- Feb 14, 2026 EPSS Score
- Feb 16, 2026 EPSS Score
- Feb 19, 2026 EPSS Score
- Feb 21, 2026 EPSS Score
- Feb 23, 2026 EPSS Score
References
- https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422 url
- https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff url
- https://github.com/parallax/jsPDF/releases/tag/v4.1.0 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-24043 advisory
- https://github.com/parallax/jsPDF package