Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in [email protected].
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422
Patch x_refsource_misc
https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff
Release Notes x_refsource_misc
https://github.com/parallax/jsPDF/releases/tag/v4.1.0
Scores
CVSS v3
5.4
EPSS
0.0002
EPSS Percentile
3.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-74
Status
published
Products (2)
npm/jspdf
0 - 4.1.0npm
parall/jspdf
< 4.1.0
Published
Feb 02, 2026
Tracked Since
Feb 18, 2026