CVE-2026-25755
HIGHCVSS v3.1: 8.1 · EPSS: 0.0063 (45.8 percentile)
Source data as of:
At a glance
- Severity
- HIGH
- CVSS
- 8.1 v3.1 · NVD
- EPSS
- 0.0063 (45.8 percentile) · FIRST.org
- CISA KEV
- No
- Type
- Code Injection · NVD CWE
- Attack conditions (CVSS vector)
- NetworkNo privileges · Source: NVD Vector
- Affected vendors
- parall
- Published
- 2026-02-19 · Modified: 2026-06-30
- References
- Jump to references (8)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in [email protected]. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Reference https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md
- Patch https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437
- Patch https://github.com/parallax/jsPDF/releases/tag/v4.2.0
- Vendor advisory https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp
- Distro https://access.redhat.com/errata/RHSA-2026:7110
- Distro https://access.redhat.com/errata/RHSA-2026:7128
- Distro https://access.redhat.com/security/cve/CVE-2026-25755
- Distro https://bugzilla.redhat.com/show_bug.cgi?id=2440993