CVE-2026-25940

jsPDF's PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)

Assigner: GitHub_M
Reserved: 09.02.2026 Published: 19.02.2026 Updated: 19.02.2026

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	parallax
Product	jsPDF
Versions	Version < 4.2.0 is affected

Vendor

parallax

Product

jsPDF

Versions

Version < 4.2.0 is affected

References

Problem Types

CWE-116: Improper Encoding or Escaping of Output CWE

CVE-2026-25940 PUBLISHED

jsPDF's PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)

Metrics

Product Status

References

Problem Types