cvedb.io
CVE-2026-25535
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-02-19T15:16:12.130 · Last modified 2026-06-30T03:17:42.337

Summary

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

Affected products

parall — jspdf

Does this affect you?

Add your gear to cvedb and we'll alert you only when parall ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.