GHSA-p5xg-68wr-hm3m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p5xg-68wr-hm3m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-p5xg-68wr-hm3m/GHSA-p5xg-68wr-hm3m.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p5xg-68wr-hm3m
- Aliases
- Published
- 2026-02-19T19:32:48Z
- Modified
- 2026-02-19T20:16:59.919398Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)
- Details
-
Impact
User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions.
If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option.
AcroformChildClass.appearanceState
Example attack vector:
import { jsPDF } from "jspdf" const doc = new jsPDF(); const group = new doc.AcroFormRadioButton(); group.x = 10; group.y = 10; group.width = 20; group.height = 10; doc.addField(group); const child = group.createOption("opt1"); child.x = 10; child.y = 10; child.width = 20; child.height = 10; child.appearanceState = "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>"; doc.save("test.pdf");Patches
The vulnerability has been fixed in jsPDF@4.2.0.
Workarounds
Sanitize user input before passing it to the vulnerable API members.
- Database specific
{ "nvd_published_at": "2026-02-19T16:27:15Z", "github_reviewed_at": "2026-02-19T19:32:48Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-116" ] }- References
Affected packages
npm / jspdf
Package
- Name
- jspdf
- View open source insights on deps.dev
- Purl
- pkg:npm/jspdf