CVE-2026-31898 - Vulnerability Analysis

Overview

jsPDF < 4.2.1 contains a stored XSS caused by unsanitized user input in the createAnnotation method's color parameter, letting attackers inject arbitrary PDF objects including JavaScript actions, exploit requires passing unsanitized input.

Severity & Score

Impact

Attackers can inject malicious JavaScript in PDFs, potentially executing code when the PDF is opened or interacted with.

Mitigation

Update to version 4.2.1 or later; sanitize user input before passing to createAnnotation.

References

• https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8
• https://github.com/parallax/jsPDF/releases/tag/v4.2.1
• https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24
• https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 18, 2026

🟠 CVE-2026-31898 - High (8.1) jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsani... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31898/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

• https://github.com/CryptoGhost1/MangoPunch-CVE-2022-31898

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner