CVE-2026-24043

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24043
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24043.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24043
Aliases
Related
Published
2026-02-02T20:34:50.617Z
Modified
2026-02-24T07:47:10.107985Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator
Summary
jsPDF Affected by Stored XMP Metadata Injection (Spoofing & Integrity Violation)
Details

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.

Database specific 
{
    "cwe_ids": [
        "CWE-74"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24043.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/parallax/jspdf

Affected ranges

Type
GIT
Repo
https://github.com/parallax/jspdf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
02273814bf0222eda02944f9a14128811f3b5a33

Affected versions

1.*
1.1.135
1.3.4
v.*
v.1.4.0
v0.*
v0.9.0
v1.*
v1.0.106
v1.0.115
v1.0.116
v1.0.119
v1.0.138
v1.0.150
v1.0.178
v1.0.272
v1.2.60
v1.2.61
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.4.0
v1.4.1
v1.5.0
v1.5.1
v1.5.2
v1.5.3
Other
v2,1,0
v2.*
v2.0.0
v2.1.1
v2.2.0
v2.3.0
v2.3.1
v2.4.0
v2.5.0
v2.5.1
v2.5.2
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v4.*
v4.0.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24043.json"