CVE-2026-31938

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.2.1

Description jsPDF, a JavaScript library used for generating PDFs, contains a flaw where insufficient sanitization of user-controlled input within the options argument of the output function allows attackers to inject arbitrary HTML, including scripts, into the browser context when a generated PDF is opened. This can lead to the execution of malicious code within the victim's browser, potentially allowing attackers to extract or modify sensitive information. The vulnerability affects the "pdfobjectnewwindow", "pdfjsnewwindow", and "dataurlnewwindow" overloads, specifically impacting the pdfObjectUrl, pdfJsUrl, and filename options. An example attack vector involves crafting a malicious payload within the filename option to inject a script tag.

Recommendations Upgrade to jsPDF version 4.2.1 or sanitize user input before passing it to the output method.