CVE-2026-24737

Name of the Vulnerable Software and Affected Versions jsPDF versions prior to 4.1.0

Description A flaw exists in jsPDF, a JavaScript library for generating PDFs, where user control over properties and methods within the Acroform module can lead to the injection of arbitrary PDF objects, including JavaScript actions. Successful exploitation allows an attacker to execute code when a victim opens the document. The vulnerable API members include AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. These methods and properties, when provided with unsanitized input, permit the injection of malicious content.

Recommendations Update to jsPDF version 4.1.0 or later.