CVE-2026-24737 is a vulnerability classified under CWE-116 (Improper Encoding or Escaping of Output) affecting the parallax jsPDF library versions before 4.1.0. jsPDF is widely used to generate PDF documents client-side in JavaScript environments. The vulnerability resides in the Acroform module, which manages interactive form fields within PDFs. Specifically, the methods AcroformChoiceField.addOption, AcroformChoiceField.setOptions, and the properties AcroFormCheckBox.appearanceState and AcroFormRadioButton.appearanceState do not properly sanitize or encode user-supplied input. This flaw allows an attacker to inject arbitrary PDF objects, including JavaScript actions embedded within the PDF. When a victim opens the maliciously crafted PDF, the embedded JavaScript executes, potentially leading to unauthorized actions such as data exfiltration, session hijacking, or further malware deployment. The vulnerability requires no authentication and has a low attack complexity but does require the victim to open the malicious PDF, implying user interaction. The CVSS v3.1 score is 8.1, reflecting high confidentiality and integrity impacts but no availability impact. No known exploits are currently reported in the wild. The issue was publicly disclosed on February 2, 2026, and fixed in jsPDF version 4.1.0. Organizations using vulnerable versions in their web applications or document generation pipelines should prioritize patching and input validation to prevent exploitation.

For European organizations, the impact of CVE-2026-24737 can be significant, especially for those relying on jsPDF for generating PDFs dynamically in client-facing or internal applications. Exploitation can lead to execution of arbitrary JavaScript within PDF viewers, potentially compromising sensitive data confidentiality and integrity. Attackers could use this vector to deliver payloads that steal credentials, manipulate document content, or pivot within networks. Sectors such as finance, government, healthcare, and legal services, which frequently handle sensitive documents, are particularly at risk. Additionally, organizations involved in software development or SaaS platforms that embed jsPDF may inadvertently distribute malicious PDFs if the vulnerability is exploited. The requirement for user interaction (opening the PDF) means phishing or social engineering campaigns could be used to trigger the attack. While no availability impact is expected, the breach of confidentiality and integrity could result in regulatory penalties under GDPR and damage to organizational reputation.

1. Upgrade all instances of jsPDF to version 4.1.0 or later, where the vulnerability is patched. 2. Implement strict input validation and sanitization on all user-supplied data passed to Acroform-related APIs, especially addOption, setOptions, and appearanceState properties. 3. Employ Content Security Policy (CSP) and PDF viewer security settings to restrict or disable JavaScript execution within PDFs where feasible. 4. Educate users and staff about the risks of opening unsolicited or unexpected PDF documents, especially those received via email or untrusted sources. 5. Monitor PDF generation workflows for anomalies or unexpected content injection attempts. 6. For organizations distributing PDFs, consider digitally signing documents to ensure integrity and authenticity. 7. Conduct security reviews and code audits of applications using jsPDF to identify and remediate unsafe usage patterns. 8. Deploy endpoint protection solutions capable of detecting malicious PDF behaviors. These steps go beyond generic patching by focusing on secure coding practices and user awareness to reduce exploitation risk.