cvedb.io
CVE-2026-31898
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2026-03-18T04:17:21.050 · Last modified 2026-06-30T03:18:28.113

Summary

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in [email protected]. As a workaround, sanitize user input before passing it to the vulnerable API members.

Affected products

parall — jspdf

Does this affect you?

Add your gear to cvedb and we'll alert you only when parall ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.