CVE-2026-31898 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: March 18, 2026
jsPDF - Stored XSS
Published: March 18, 2026Updated: March 18, 2026Remote Exploitable
Overview
jsPDF < 4.2.1 contains a stored XSS caused by unsanitized user input in the createAnnotation method's color parameter, letting attackers inject arbitrary PDF objects including JavaScript actions, exploit requires passing unsanitized input.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Attackers can inject malicious JavaScript in PDFs, potentially executing code when the PDF is opened or interacted with.
Mitigation
Update to version 4.2.1 or later; sanitize user input before passing to createAnnotation.
References
- https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8
- https://github.com/parallax/jsPDF/releases/tag/v4.2.1
- https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24
- https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208
Related Resources
Details
- CVE ID
- CVE-2026-31898
- Severity
- High
- CVSS Score
- 8.1
- Type
- stored_xss
- Status
- new
CWE
- CWE-116
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N