html2pdf.js is a client-side JavaScript library that converts webpages or HTML elements into printable PDFs. Prior to version 0.14.0, the library contained a critical cross-site scripting (XSS) vulnerability identified as CVE-2026-22787 (CWE-79). This vulnerability occurs when html2pdf.js is used with a text source input rather than a DOM element. The library fails to properly neutralize or sanitize this text input before attaching it to the DOM, allowing malicious scripts embedded in the text to execute in the user's browser context. This improper input handling can lead to the execution of arbitrary JavaScript code, enabling attackers to steal sensitive information, manipulate page content, or disrupt availability. The vulnerability is exploitable remotely without authentication but requires user interaction (e.g., visiting a maliciously crafted page). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N) reflects a network attack vector with low complexity, no privileges required, and high impact on confidentiality and integrity. Although no public exploits are currently known, the vulnerability poses a significant threat to any web application embedding vulnerable versions of html2pdf.js. The issue was addressed and fixed in version 0.14.0 by improving input sanitization and neutralization mechanisms. Organizations relying on this library should upgrade promptly to prevent exploitation.

For European organizations, exploitation of this XSS vulnerability could lead to unauthorized disclosure of sensitive data, session hijacking, defacement of web content, or injection of malicious payloads affecting users and internal systems. This is particularly critical for sectors handling personal data under GDPR, such as finance, healthcare, and e-commerce, where confidentiality breaches can result in regulatory penalties and reputational damage. The vulnerability can be leveraged to target employees or customers via phishing or malicious web pages, potentially enabling further lateral movement or credential theft. The client-side nature means that end users' browsers are directly impacted, increasing the risk of widespread compromise if the vulnerable library is embedded in popular web applications or portals. Given the high CVSS score and ease of exploitation, organizations face a substantial risk to data integrity and availability of services. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before active attacks emerge.

1. Immediately upgrade all instances of html2pdf.js to version 0.14.0 or later to ensure the vulnerability is patched. 2. Conduct an inventory of web applications and services to identify usage of html2pdf.js, especially those accepting user-generated text inputs. 3. Implement Content Security Policy (CSP) headers to restrict script execution and reduce the impact of potential XSS attacks. 4. Sanitize and validate all user inputs at the application level before passing them to client-side libraries, employing robust libraries or frameworks for input validation. 5. Educate developers on secure usage of third-party libraries and the risks of injecting unsanitized text into the DOM. 6. Monitor web application logs and user reports for suspicious activity indicative of XSS exploitation attempts. 7. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with XSS detection capabilities as an additional layer of defense. 8. Review and update incident response plans to include scenarios involving client-side script injection attacks.