CVE-2026-24043 is an injection vulnerability classified under CWE-74 affecting the parallax jsPDF library, a widely used JavaScript tool for generating PDF documents client-side or server-side. The flaw exists in versions prior to 4.1.0 where the addMetadata function accepts user-controlled input as its first argument without proper sanitization or neutralization of special XML characters. This allows an attacker to inject arbitrary XMP metadata into the generated PDF files. Since XMP metadata can be embedded deeply within PDFs and may be used for digital signatures, document validation, or archival purposes, the injection undermines the integrity guarantees of the PDF. If a PDF is signed or processed by downstream systems relying on metadata integrity, the injected XML can cause trust violations or manipulation of document metadata. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, no confidentiality or availability impact, but partial integrity impact with limited scope. The issue was publicly disclosed on February 2, 2026, and fixed in jsPDF version 4.1.0. No known exploits have been reported in the wild to date. Organizations using jsPDF versions below 4.1.0 should prioritize upgrading to mitigate this risk.

For European organizations, this vulnerability poses a risk primarily to the integrity of PDF documents generated using vulnerable jsPDF versions. Industries relying on digitally signed PDFs for contracts, legal documents, financial reports, or regulatory submissions could face document trust issues if malicious metadata injection occurs. This could lead to legal disputes, compliance violations, or reputational damage. Since jsPDF is popular in web applications and internal tools, any automated PDF generation pipeline that does not sanitize metadata inputs is vulnerable. The injection does not directly compromise confidentiality or availability but undermines the reliability of document metadata, which can affect audit trails and digital signature verification. Organizations in sectors such as finance, legal, government, and healthcare in Europe, where document integrity is critical, are particularly at risk. The lack of known exploits reduces immediate threat but does not eliminate the risk of future attacks. The vulnerability’s remote exploitability without authentication increases the attack surface, especially for public-facing applications.

European organizations should immediately upgrade all instances of jsPDF to version 4.1.0 or later to ensure the vulnerability is patched. For legacy systems where upgrading is not immediately feasible, implement strict input validation and sanitization on any user-supplied data passed to the addMetadata function to neutralize special XML characters and prevent injection. Employ PDF signing and verification tools that validate the integrity of both the document content and metadata to detect tampering. Incorporate security testing in the development lifecycle to identify unsanitized metadata inputs. Monitor PDF generation workflows for anomalies in metadata fields. Additionally, restrict access to PDF generation endpoints to trusted users and networks to reduce exposure. Educate developers about secure handling of metadata in PDFs and the risks of injection attacks. Finally, maintain an inventory of applications using jsPDF to ensure comprehensive patching and risk assessment.