CVE-2026-25940: CWE-116: Improper Encoding or Escaping of Output in parallax jsPDF
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in [email protected]. As a workaround, sanitize user input before passing it to the vulnerable API members.
AI Analysis
Technical Summary
CVE-2026-25940 is a high-severity vulnerability in the parallax jsPDF library affecting versions prior to 4.2.0. It involves improper encoding or escaping of output in the Acroform module, allowing attackers to inject arbitrary PDF objects including JavaScript actions. These injected actions execute when a victim hovers over a radio option in the generated PDF. The vulnerability is addressed by the official fix in jsPDF 4.2.0. Until upgrading, sanitizing user input before passing it to the affected properties and methods mitigates the risk.
Potential Impact
Successful exploitation allows an attacker to inject arbitrary PDF objects such as JavaScript actions that execute in the context of the PDF viewer when the victim interacts with form elements. This can lead to high confidentiality and integrity impacts by executing malicious code within the PDF environment. Availability is not impacted.
Mitigation Recommendations
An official fix is available in jsPDF version 4.2.0. Users should upgrade to version 4.2.0 or later to remediate this vulnerability. As a temporary workaround, sanitize all user input before passing it to the vulnerable Acroform module properties and methods to prevent injection of arbitrary PDF objects.
CVE-2026-25940: CWE-116: Improper Encoding or Escaping of Output in parallax jsPDF
Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in [email protected]. As a workaround, sanitize user input before passing it to the vulnerable API members.
CVSS v3.1
Score 8.1high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-25940 is a high-severity vulnerability in the parallax jsPDF library affecting versions prior to 4.2.0. It involves improper encoding or escaping of output in the Acroform module, allowing attackers to inject arbitrary PDF objects including JavaScript actions. These injected actions execute when a victim hovers over a radio option in the generated PDF. The vulnerability is addressed by the official fix in jsPDF 4.2.0. Until upgrading, sanitizing user input before passing it to the affected properties and methods mitigates the risk.
Potential Impact
Successful exploitation allows an attacker to inject arbitrary PDF objects such as JavaScript actions that execute in the context of the PDF viewer when the victim interacts with form elements. This can lead to high confidentiality and integrity impacts by executing malicious code within the PDF environment. Availability is not impacted.
Mitigation Recommendations
An official fix is available in jsPDF version 4.2.0. Users should upgrade to version 4.2.0 or later to remediate this vulnerability. As a temporary workaround, sanitize all user input before passing it to the vulnerable Acroform module properties and methods to prevent injection of arbitrary PDF objects.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-09T16:22:17.787Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-25940","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:7110","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:7128","vendor":"Red Hat"}]
Threat ID: 69973033732724e9dc4fe1d3
Added to database: 02/19/2026, 15:45:55 UTC
Last enriched: 06/30/2026, 21:27:22 UTC
Last updated: 07/09/2026, 20:42:34 UTC
Views: 175
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.