CVE-2026-22787

MEDIUM

html2pdf.js < 0.14.0 - Cross-Site Scripting via Text Source Input

Title source: llm

Description

html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in [email protected].

References (6)

Core 6

Core References

Vendor Advisory x_refsource_confirm

https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc

Issue Tracking x_refsource_misc

https://github.com/eKoopmans/html2pdf.js/issues/865

Issue Tracking x_refsource_misc

https://github.com/eKoopmans/html2pdf.js/pull/877

Patch x_refsource_misc

https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0

Various Sources

https://aydinnyunus.github.io/2026/01/17/cve-2026-22787-html2pdf-xss-vulnerability/

Scores

CVSS v3 6.1

EPSS 0.0006

EPSS Percentile 18.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

ekoopmans/html2pdf.js < 0.14.0

npm/html2pdf.js 0 - 0.14.0npm

Published Jan 14, 2026

Tracked Since Feb 18, 2026