CVE-2026-25755

HIGH

jsPDF < 4.2.0 - Code Injection via addJS Method

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-25755. PoCs published by XiaomingX, absholi7ly.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-25755, a PDF Object Injection vulnerability in jsPDF's `addJS()` function, including root cause analysis, vulnerable code snippets, and a proof-of-concept payload demonstrating the injection mechanism.

Description

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in [email protected]. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.

Exploits (2)

github WRITEUP 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25755

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-25755, a PDF Object Injection vulnerability in jsPDF's `addJS()` function, including root cause analysis, vulnerable code snippets, and a proof-of-concept payload demonstrating the injection mechanism.

Classification

Writeup 95%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: jsPDF < 4.2.0

No auth needed

Prerequisites: jsPDF library usage in a client-side application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WRITEUP

by absholi7ly · poc

https://github.com/absholi7ly/jsPDF-Object-Injection

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-25755, a PDF Object Injection vulnerability in jsPDF's `addJS()` function, including root cause analysis, vulnerable code snippets, and PoC payloads demonstrating the injection mechanism.

Classification

Writeup 95%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: jsPDF < 4.2.0

No auth needed

Prerequisites: jsPDF library usage in a client-side application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 24, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory x_refsource_confirm

https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp

Patch x_refsource_misc

https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437

View Patch ZIP pw:eip

Various Sources x_refsource_misc

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md

View Writeup ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/parallax/jsPDF/releases/tag/v4.2.0

Scores

CVSS v3 8.1

EPSS 0.0003

EPSS Percentile 7.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94 CWE-116

Status published

Products (2)

npm/jspdf 0 - 4.2.0npm

parall/jspdf < 4.2.0

Published Feb 19, 2026

Tracked Since Feb 19, 2026