216.73.216.78

CVE-2026-25755

· Published 19/02/2026 15:16 · Modified 19/02/2026 15:52

Labels: CVE-2026-25755 2026-02-19CVE-2026-25755CWE-94[email protected]

Essential information

Published
19/02/2026 15:16
Modified
19/02/2026 15:52
Author
Creator
CVSS
8.1 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS metrics

Description

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in [email protected]. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.

NVD status

Status
Undergoing Analysis — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
mozilla / jspdf cpe:2.3:a:mozilla:jspdf:*:*:*:*:*:*:*:*

References