CVE-2026-31898

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.2.1

Description jsPDF is a JavaScript library used to generate PDF documents. A flaw exists where user-controlled arguments within the createAnnotation method can allow the injection of arbitrary PDF objects, including JavaScript actions. If unsanitized input is provided to the createAnnotation method, specifically the color parameter, malicious code can be injected. This injected code may execute when the PDF is opened or interacted with. An example attack vector involves crafting a payload that, when used as the color value in createAnnotation, can trigger the execution of arbitrary commands, such as calc.exe.

Recommendations Versions prior to 4.2.1 should be updated to version 4.2.1 or later. Sanitize user input before passing it to the createAnnotation method.