CVE-2026-24043 is an injection vulnerability classified under CWE-74 affecting the parallax jsPDF library, a popular JavaScript tool for generating PDF documents client-side or server-side. The flaw exists in versions prior to 4.1.0, where the first argument of the addMetadata function is not properly sanitized before being embedded as XMP metadata in the generated PDF. This allows an attacker who can control this input to inject arbitrary XML content into the PDF's metadata section. Since XMP metadata can be used for document signing, storage, or further processing, the injection undermines the integrity guarantees of the PDF. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the impact on integrity and ease of exploitation. No known exploits have been reported in the wild, but the vulnerability is significant for environments that rely on jsPDF for secure PDF generation. The issue was addressed in jsPDF version 4.1.0 by implementing proper input neutralization and sanitization in the addMetadata function to prevent XML injection.

For European organizations, this vulnerability poses a risk to the integrity of PDF documents generated using vulnerable jsPDF versions. This is particularly critical for sectors that rely on digitally signed PDFs for legal, financial, or regulatory compliance purposes, such as banking, government, healthcare, and legal services. An attacker injecting malicious XML metadata could cause signature validation failures or introduce misleading metadata, potentially leading to document repudiation or manipulation. This undermines trust in document authenticity and could disrupt workflows dependent on automated PDF processing or archiving. Since jsPDF is widely used in web applications and client-side PDF generation, organizations embedding this library without proper updates may inadvertently expose themselves to integrity attacks. Although no confidentiality or availability impact is directly indicated, the loss of integrity in signed documents can have severe operational and reputational consequences.

The primary mitigation is to upgrade all instances of jsPDF to version 4.1.0 or later, where the vulnerability has been fixed. Organizations should audit their codebases and dependencies to identify usage of vulnerable jsPDF versions, especially in web applications or services that generate PDFs. Additionally, implement strict input validation and sanitization on any data passed to the addMetadata function to prevent injection of malicious XML content. Employ security code reviews and automated scanning tools to detect unsafe usage patterns. For critical environments, consider implementing PDF integrity verification processes post-generation to detect anomalies in metadata. Educate developers about secure handling of third-party libraries and the risks of unsanitized input in document generation contexts. Finally, monitor security advisories for any emerging exploits related to this vulnerability and apply patches promptly.