CVE-2026-25940 is a vulnerability identified in the parallax jsPDF library, specifically affecting versions prior to 4.2.0. jsPDF is widely used to programmatically generate PDF documents in JavaScript environments. The vulnerability stems from improper encoding or escaping of output (CWE-116) within the Acroform module, which handles interactive form elements in PDFs. Attackers can exploit this flaw by injecting arbitrary PDF objects, such as JavaScript actions, through user-controlled properties or methods. When a victim opens the crafted PDF and interacts with elements like radio buttons, the embedded JavaScript executes, potentially leading to unauthorized actions or data exposure. The vulnerability requires no privileges to exploit but does require user interaction (hovering over a radio option). The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality and integrity with network attack vector and low attack complexity. The vulnerability was publicly disclosed on February 19, 2026, and has been addressed in jsPDF version 4.2.0. No known exploits have been reported in the wild yet. The recommended workaround before patching is to sanitize all user inputs passed to the vulnerable Acroform API members to prevent injection of malicious objects.

The vulnerability allows attackers to inject and execute arbitrary JavaScript within PDFs generated by vulnerable jsPDF versions, compromising confidentiality and integrity. This can lead to unauthorized data access, manipulation of PDF content, or execution of malicious actions within the victim’s PDF viewer environment. Since PDFs are widely used for document exchange, this flaw could be leveraged in targeted phishing campaigns or supply chain attacks, especially in environments where PDFs are dynamically generated from user input. The requirement for user interaction (hovering over a form element) limits automated exploitation but does not eliminate risk, as social engineering can induce victims to trigger the payload. The lack of authentication requirement means any attacker can craft malicious PDFs for distribution. Organizations relying on jsPDF for PDF generation in web applications or services are at risk of data breaches, reputational damage, and potential regulatory consequences if sensitive information is exposed or manipulated.

1. Upgrade all jsPDF instances to version 4.2.0 or later immediately to apply the official fix. 2. Implement strict input validation and sanitization on all user-supplied data before passing it to the Acroform module or any PDF generation APIs to prevent injection of malicious objects. 3. Employ Content Security Policy (CSP) and PDF viewer security settings to restrict or disable JavaScript execution within PDFs where possible. 4. Educate users about the risks of opening PDFs from untrusted sources and interacting with embedded form elements. 5. Monitor PDF generation workflows for anomalous inputs or unexpected PDF content that could indicate exploitation attempts. 6. If upgrading is not immediately feasible, consider disabling or restricting the use of interactive form elements in PDFs generated by jsPDF. 7. Conduct regular security reviews of third-party libraries and dependencies to identify and remediate vulnerabilities promptly.