Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.4%top 65%

CVE-2026-25940: CWE-116: Improper Encoding or Escaping of Output in parallax jsPDF

0
High
VulnerabilityCVE-2026-25940cvecve-2026-25940cwe-116
Published: 02/19/2026 (02/19/2026, 15:26:57 UTC)
Source: CVE Database V5
Vendor/Project: parallax
Product: jsPDF

Description

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in [email protected]. As a workaround, sanitize user input before passing it to the vulnerable API members.

CVSS v3.1

Score 8.1high

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected software

Affected versions
<4.2.0

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 21:27:22 UTC

Technical Analysis

CVE-2026-25940 is a high-severity vulnerability in the parallax jsPDF library affecting versions prior to 4.2.0. It involves improper encoding or escaping of output in the Acroform module, allowing attackers to inject arbitrary PDF objects including JavaScript actions. These injected actions execute when a victim hovers over a radio option in the generated PDF. The vulnerability is addressed by the official fix in jsPDF 4.2.0. Until upgrading, sanitizing user input before passing it to the affected properties and methods mitigates the risk.

Potential Impact

Successful exploitation allows an attacker to inject arbitrary PDF objects such as JavaScript actions that execute in the context of the PDF viewer when the victim interacts with form elements. This can lead to high confidentiality and integrity impacts by executing malicious code within the PDF environment. Availability is not impacted.

Mitigation Recommendations

An official fix is available in jsPDF version 4.2.0. Users should upgrade to version 4.2.0 or later to remediate this vulnerability. As a temporary workaround, sanitize all user input before passing it to the vulnerable Acroform module properties and methods to prevent injection of arbitrary PDF objects.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
GitHub_M
Date Reserved
2026-02-09T16:22:17.787Z
Cvss Version
3.1
State
PUBLISHED
Vendor Advisory Urls
[{"url":"https://access.redhat.com/security/cve/CVE-2026-25940","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:7110","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:7128","vendor":"Red Hat"}]

Threat ID: 69973033732724e9dc4fe1d3

Added to database: 02/19/2026, 15:45:55 UTC

Last enriched: 06/30/2026, 21:27:22 UTC

Last updated: 07/09/2026, 20:42:34 UTC

Views: 175

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses