CVE-2026-24043
Unknown Unknown - Not Provided
Arbitrary XML Injection in jsPDF addMetadata Risks PDF Integrity

Publication date: 2026-02-02

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in [email protected].
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24043
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
parall jspdf to 4.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in jsPDF prior to version 4.1.0 allows a user to inject arbitrary XML into the PDF by controlling the first argument of the addMetadata function. If unsanitized input is passed to addMetadata, arbitrary XMP metadata can be injected into the generated PDF. This means that the PDF's metadata can be manipulated in unintended ways.

Impact Analysis

If a PDF generated with a vulnerable version of jsPDF is signed, stored, or otherwise processed, the integrity of the PDF can no longer be guaranteed due to the possibility of arbitrary metadata injection. This could lead to trust issues with the PDF's authenticity and potential misuse of the manipulated metadata.

Mitigation Strategies

Update the jsPDF library to version 4.1.0 or later, as this version contains the fix for the vulnerability allowing arbitrary XML injection via the addMetadata function.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24043. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart