CVE-2026-31938 is a critical cross-site scripting (XSS) vulnerability identified in the parallax jsPDF library, a widely used JavaScript tool for generating PDF documents in browsers. The flaw exists in versions prior to 4.2.1, where the 'output' function accepts an 'options' argument that can be controlled by users. The vulnerability stems from improper neutralization of input (CWE-79), allowing attackers to inject arbitrary HTML or JavaScript code into the browser context when the PDF is generated and opened. Specifically, if an attacker can supply malicious values for the output options—often via a web interface or API—these values are passed unsanitized to the PDF generation process. When a victim opens the resulting PDF in their browser, the injected scripts execute with the victim's browser privileges. This can lead to theft or modification of sensitive data accessible in the browser context, such as cookies, tokens, or other secrets. Exploitation requires the victim to interact by opening the crafted PDF, but no authentication or elevated privileges are needed. The vulnerability affects all jsPDF versions before 4.2.1 and has been patched in that release. No known exploits are reported in the wild yet. The vulnerability has a CVSS v3.1 score of 9.6 (critical), reflecting its high impact on confidentiality and integrity, ease of exploitation over the network, and the scope affecting all users of vulnerable versions. The recommended mitigation is to upgrade to jsPDF 4.2.1 or later. As an interim measure, developers should sanitize and validate all user inputs passed to the output function's options argument to prevent injection of malicious code.

The impact of CVE-2026-31938 is significant for organizations using vulnerable versions of jsPDF in web applications that generate PDFs client-side. Successful exploitation allows attackers to execute arbitrary scripts in the victim's browser context, potentially leading to theft of sensitive information such as session tokens, personal data, or other secrets accessible in the browser. This can facilitate further attacks like session hijacking, unauthorized access, or data manipulation. The vulnerability compromises confidentiality and integrity, with a minor impact on availability. Since jsPDF is widely used in web applications globally, especially in SaaS platforms, document management systems, and online form processing tools, the threat surface is broad. Attackers can exploit this remotely without authentication, increasing risk. Organizations that do not promptly patch or sanitize inputs may face data breaches, reputational damage, and regulatory consequences. The requirement for user interaction (opening the PDF) somewhat limits automated exploitation but does not eliminate risk, especially in phishing or social engineering scenarios.

1. Upgrade all instances of jsPDF to version 4.2.1 or later immediately to apply the official patch that fixes the vulnerability. 2. Implement strict input validation and sanitization on all user-supplied data passed to the output function's options argument to prevent injection of malicious HTML or scripts. Use well-established libraries or frameworks for sanitization rather than custom code. 3. Employ Content Security Policy (CSP) headers in web applications to restrict script execution contexts and reduce the impact of potential XSS. 4. Educate users about the risks of opening PDFs from untrusted sources, especially those generated dynamically via web interfaces. 5. Monitor web application logs and user reports for suspicious PDF generation or access patterns that could indicate exploitation attempts. 6. Conduct security testing, including static and dynamic analysis, focusing on PDF generation features to detect similar injection flaws. 7. If upgrading is not immediately feasible, consider disabling or restricting PDF generation features that accept user input until mitigations are in place. 8. Review and update incident response plans to include handling of XSS attacks via PDF generation vectors.