Vulnerability in Parallax Jspdf

CVE-2026-24043

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata m…

EPSS: 0.000 (5.3th percentile) — read the EPSS interpretation.

Affected products

Parallax Jspdf — versions < 4.1.0

Weakness classification (CWE)

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

References

https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422 (x_refsource_CONFIRM)
https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff (x_refsource_MISC)
https://github.com/parallax/jsPDF/releases/tag/v4.1.0 (x_refsource_MISC)