CVE-2026-24737 is a vulnerability in the parallax jsPDF library, versions prior to 4.1.0, that stems from improper encoding or escaping of output (CWE-116) in the Acroform module. The affected API members include AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. These methods allow user-controlled input to be injected directly into PDF objects without proper sanitization. An attacker can exploit this by crafting malicious input that injects arbitrary PDF objects, such as JavaScript actions embedded within the PDF. When a victim opens the malicious PDF, the embedded JavaScript executes, potentially leading to code execution or other malicious activities like phishing, data exfiltration, or further exploitation of the victim's environment. The vulnerability does not require any privileges or authentication but does require the victim to open the crafted PDF, making user interaction necessary. The vulnerability has been assigned a CVSS v3.1 score of 8.1 (high severity), reflecting its network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality and integrity. No known exploits are currently reported in the wild, but the risk remains significant due to the widespread use of jsPDF in web applications for PDF generation. The issue was publicly disclosed in early 2026 and fixed in jsPDF version 4.1.0. Organizations using jsPDF to generate PDFs with Acroform fields should urgently update to the patched version and review input sanitization practices to prevent injection of malicious content.

The vulnerability allows attackers to inject arbitrary JavaScript into PDFs generated by vulnerable jsPDF versions, which executes upon opening the document. This can lead to unauthorized code execution, data theft, phishing attacks, or further exploitation of the victim's system. For European organizations, this poses a significant risk especially in sectors where PDF generation is automated and distributed to external users, such as finance, legal, government, and healthcare. Confidentiality and integrity of sensitive information can be compromised, potentially leading to data breaches and regulatory non-compliance under GDPR. The attack requires no authentication but does require the victim to open the malicious PDF, which could be delivered via email or other document-sharing channels. The widespread use of jsPDF in web applications increases the attack surface. Additionally, compromised PDFs could damage organizational reputation and trust. Although no exploits are currently known in the wild, the vulnerability’s high severity and ease of exploitation make it a critical concern for European entities relying on jsPDF.

1. Immediately upgrade all instances of jsPDF to version 4.1.0 or later, where the vulnerability is fixed. 2. Implement strict input validation and sanitization for all user-supplied data passed to Acroform-related APIs, especially addOption, setOptions, and appearanceState properties. 3. Employ Content Security Policy (CSP) and PDF viewer security settings to restrict or disable JavaScript execution within PDFs where feasible. 4. Educate users to be cautious when opening PDFs from untrusted sources and implement email filtering to detect and block potentially malicious PDFs. 5. Conduct code audits and penetration testing focused on PDF generation components to identify and remediate similar injection risks. 6. Monitor security advisories and threat intelligence feeds for any emerging exploits targeting this vulnerability. 7. Where possible, avoid using dynamic JavaScript actions within PDFs unless absolutely necessary. 8. For web applications, consider sandboxing PDF generation processes to limit potential impact of exploitation.