The vulnerability identified as CVE-2026-31898 affects the parallax jsPDF library, versions before 4.2.1. jsPDF is widely used to programmatically generate PDF documents in JavaScript environments. The root cause is improper encoding or escaping of output (CWE-116) in the createAnnotation method, particularly through the color parameter. This flaw allows an attacker who can supply unsanitized input to inject arbitrary PDF objects, including JavaScript actions embedded within the PDF structure. When a user opens or interacts with the crafted PDF, these malicious JavaScript actions can execute, potentially leading to unauthorized information disclosure or manipulation of the PDF content. The vulnerability does not require authentication or elevated privileges but does require user interaction to open or interact with the PDF. The CVSS v3.1 base score is 8.1, reflecting high severity due to network attack vector, low attack complexity, no privileges required, but requiring user interaction, and resulting in high confidentiality and integrity impacts without affecting availability. The vulnerability was reserved on March 9, 2026, and published on March 18, 2026. The issue has been addressed in jsPDF version 4.2.1. Until upgrading, developers should sanitize all user inputs passed to createAnnotation and related API methods to prevent injection of malicious PDF objects.

This vulnerability poses a significant risk to organizations that use jsPDF to generate PDFs dynamically from user-supplied data, especially in web applications and services. Successful exploitation can lead to execution of arbitrary JavaScript within the PDF context, potentially enabling data theft, unauthorized actions, or further exploitation of client systems when users open malicious PDFs. Confidentiality and integrity of sensitive documents can be compromised. Because PDFs are widely used for document exchange, this vulnerability could be leveraged in targeted phishing or social engineering attacks. Organizations relying on jsPDF in customer-facing or internal applications may face reputational damage, data breaches, or regulatory consequences if exploited. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure.

To mitigate this vulnerability, organizations should immediately upgrade to jsPDF version 4.2.1 or later, where the issue is fixed. Until upgrading is possible, developers must rigorously sanitize and validate all user inputs passed to the createAnnotation method and any other potentially vulnerable API calls, especially the color parameter, to prevent injection of arbitrary PDF objects. Employ strict input validation, escaping, and encoding techniques to neutralize malicious payloads. Additionally, consider implementing PDF content scanning and sandboxing PDF viewers to limit JavaScript execution risks. Educate users about the dangers of opening PDFs from untrusted sources to reduce the risk of social engineering attacks. Monitor for any emerging exploit reports and apply patches promptly. Finally, review application logging and alerting to detect suspicious PDF generation or access patterns.