CVE-2026-24737
Unknown Unknown - Not Provided
Arbitrary PDF Object Injection in jsPDF Acroform Module

Publication date: 2026-02-02

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in [email protected].
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24737
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
parall jspdf to 4.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in jsPDF prior to version 4.1.0 allows an attacker to inject arbitrary PDF objects, including JavaScript actions, through certain Acroform module properties and methods if unsanitized input is passed. These injected JavaScript actions execute when the victim opens the PDF document. The affected API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The issue was fixed in jsPDF version 4.1.0.

Impact Analysis

This vulnerability can lead to the execution of arbitrary JavaScript code when a victim opens a crafted PDF document generated using a vulnerable version of jsPDF. This can result in high confidentiality and integrity impacts, such as unauthorized actions or data exposure, potentially compromising the victim's system or data.

Mitigation Strategies

Update the jsPDF library to version 4.1.0 or later, as this version contains the fix for the vulnerability. Avoid using vulnerable API members such as AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState with unsanitized input until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart