CVE-2026-24737
Modified Modified - Updated After Analysis

Arbitrary PDF Object Injection in jsPDF Acroform Module

Vulnerability report for CVE-2026-24737, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-02

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in [email protected].

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-02
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-02-03
EPSS Evaluated
2026-07-04
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
parall jspdf to 4.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-917 The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in jsPDF prior to version 4.1.0 allows an attacker to inject arbitrary PDF objects, including JavaScript actions, through certain Acroform module properties and methods if unsanitized input is passed. These injected JavaScript actions execute when the victim opens the PDF document. The affected API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The issue was fixed in jsPDF version 4.1.0.

Impact Analysis

This vulnerability can lead to the execution of arbitrary JavaScript code when a victim opens a crafted PDF document generated using a vulnerable version of jsPDF. This can result in high confidentiality and integrity impacts, such as unauthorized actions or data exposure, potentially compromising the victim's system or data.

Mitigation Strategies

Update the jsPDF library to version 4.1.0 or later, as this version contains the fix for the vulnerability. Avoid using vulnerable API members such as AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState with unsanitized input until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart