CVE-2026-24043
Arbitrary XML Injection in jsPDF addMetadata Risks PDF Integrity
Publication date: 2026-02-02
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| parall | jspdf | to 4.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in jsPDF prior to version 4.1.0 allows a user to inject arbitrary XML into the PDF by controlling the first argument of the addMetadata function. If unsanitized input is passed to addMetadata, arbitrary XMP metadata can be injected into the generated PDF. This means that the PDF's metadata can be manipulated in unintended ways.
How can this vulnerability impact me? :
If a PDF generated with a vulnerable version of jsPDF is signed, stored, or otherwise processed, the integrity of the PDF can no longer be guaranteed due to the possibility of arbitrary metadata injection. This could lead to trust issues with the PDF's authenticity and potential misuse of the manipulated metadata.
What immediate steps should I take to mitigate this vulnerability?
Update the jsPDF library to version 4.1.0 or later, as this version contains the fix for the vulnerability allowing arbitrary XML injection via the addMetadata function.