CVE-2026-22787

Name of the Vulnerable Software and Affected Versions html2pdf.js versions prior to 0.14.0

Description html2pdf.js converts webpages or elements into printable PDFs client-side. When provided with a text source instead of an element, versions prior to 0.14.0 do not sufficiently sanitize the text before attaching it to the Document Object Model (DOM). This allows malicious scripts to execute in the client browser, potentially compromising the confidentiality, integrity, and availability of the page’s data. An example attack vector involves using a malicious HTML string containing an img tag with an onerror event handler, such as <img src=x onerror="alert(document.cookie)">, to execute JavaScript code.

Recommendations Versions prior to 0.14.0 should be updated to version 0.14.0, which includes text source sanitization using DOMPurify. As a workaround, users of earlier versions must safely sanitize any text before using it as a source in html2pdf.js.