html2pdf.js is a client-side JavaScript library that converts web pages or elements into printable PDFs. Versions prior to 0.14.0 contain a cross-site scripting (XSS) vulnerability identified as CVE-2026-22787 (CWE-79). The vulnerability occurs when the library is given a text source instead of a DOM element; the text is insufficiently sanitized before being appended to the DOM. This improper neutralization of input allows attackers to inject malicious scripts that execute in the context of the victim's browser. The CVSS 4.0 score of 8.7 reflects the vulnerability's high severity, with network attack vector, low attack complexity, no privileges or authentication required, but requiring user interaction. The vulnerability can lead to the compromise of confidentiality (e.g., theft of sensitive data), integrity (e.g., manipulation of page content), and availability (e.g., disruption of page functionality). Although no known exploits are currently reported in the wild, the widespread use of html2pdf.js in web applications makes this a significant risk. The issue was resolved in version 0.14.0 by improving input sanitization and handling of text sources. The vulnerability does not affect server-side components but targets client browsers rendering affected web pages.

For European organizations, this vulnerability poses a significant risk to web applications that utilize vulnerable versions of html2pdf.js. Successful exploitation can lead to client-side script execution, enabling attackers to steal user credentials, session cookies, or other sensitive information, potentially leading to account takeover or data breaches. It can also allow attackers to manipulate or deface web content, damaging organizational reputation. The availability of web services could be impacted if attackers inject scripts that disrupt page functionality or perform denial-of-service actions on the client side. Sectors with high reliance on web-based document generation or PDF exports, such as finance, healthcare, and government, are particularly vulnerable. Given the ease of exploitation and lack of required privileges, the threat is substantial, especially for organizations with large user bases in Europe. The vulnerability could also facilitate further attacks, such as phishing or malware distribution, by compromising trusted web pages.

The primary mitigation is to upgrade all instances of html2pdf.js to version 0.14.0 or later, where the vulnerability is fixed. Organizations should audit their web applications to identify usage of html2pdf.js and verify the version in use. Additionally, implement strict input validation and sanitization on all user-supplied data before processing or rendering. Employ Content Security Policies (CSP) to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Regularly monitor web application behavior for signs of script injection or anomalous activity. Educate developers on secure coding practices related to client-side libraries and the risks of processing untrusted input. Consider using security-focused code scanning tools to detect vulnerable dependencies. Finally, maintain an incident response plan to quickly address any exploitation attempts.