CVE-2026-25940

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.2.0

Description jsPDF is a JavaScript library used to generate PDF documents. Prior to version 4.2.0, the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions, through user-controlled input. This can lead to the execution of these actions when a user interacts with the PDF, such as hovering over a radio option. The vulnerability stems from a lack of sanitization of input passed to the Acroform module's properties and methods.

Recommendations Versions prior to 4.2.0 should be updated to version 4.2.0 or later. As a workaround, sanitize user input before passing it to the vulnerable API members of the Acroform module.