CVE-2026-24040

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.1.0

Description jsPDF is a JavaScript library used to generate PDF documents. A flaw exists in the addJS method within the Node.js build, versions prior to 4.1.0, due to the use of a shared module-scoped variable (text) for storing JavaScript content. In concurrent environments, such as Node.js web servers, this shared variable can lead to Cross-User Data Leakage. Specifically, JavaScript content intended for one user may be overwritten by content from another request before the PDF is fully generated, resulting in a PDF for User A containing the JavaScript payload meant for User B. This issue primarily affects server-side environments, but similar race conditions could potentially occur in client-side implementations.

Recommendations Update to jsPDF version 4.1.0 or later.