Improper Encoding or Escaping of Output in jspdf

CVE-2026-31898

jspdf

Medium

6.5/10

Summary

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in [email protected]. As a workaround, sanitize user input before passing it to the vulnerable API members.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-116 - Improper Encoding or Escaping of Output

The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References

Advisory Timeline

Published Mar 18, 2026

Improper Encoding or Escaping of Output in jspdf

CVE-2026-31898

Summary

CWE-116 - Improper Encoding or Escaping of Output

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS