CVE-2026-24043

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.1.0

Description jsPDF is a JavaScript library used to generate PDF documents. A flaw exists due to user-controlled input to the addMetadata function, allowing arbitrary XML injection. If unsanitized input is provided to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. This can compromise the integrity of the PDF if it is subsequently signed or processed. The example attack vector demonstrates injecting a fake "dc:creator" (Author) to spoof the document source. The vulnerable function is addMetadata. The first argument of the addMetadata function is the vulnerable parameter.

Recommendations Versions prior to 4.1.0 should be updated to version 4.1.0 or later. Sanitize user input before passing it to the addMetadata method by escaping XML entities. For example, replace '&' with '&', '<' with '<', '>' with '>', '"' with '"', and "'" with '''.