Home / Vulnerability Intelligence / CVE-2026-31938

CVE-2026-31938 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: March 18, 2026

jsPDF - Stored XSS

Published: March 18, 2026Updated: March 18, 2026Remote Exploitable

Overview

jsPDF < 4.2.1 contains a stored XSS caused by unsanitized user control of the options argument in the output function, letting attackers inject arbitrary scripts in the victim's browser context, exploit requires victim to create and open a crafted PDF.

Severity & Score

Severity: Critical

CVSS Score: 9.6

Impact

Attackers can execute arbitrary scripts in the victim's browser, potentially stealing or modifying sensitive information.

Mitigation

Update to version 4.2.1 or later; sanitize user input before passing to output method.

References

https://github.com/parallax/jsPDF/commit/87a40bbd07e6b30575196370670b41f264aa78d7
https://github.com/parallax/jsPDF/releases/tag/v4.2.1
https://github.com/parallax/jsPDF/security/advisories/GHSA-wfv2-pwc8-crg5

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-31938
Severity: Critical
CVSS Score: 9.6
Type: stored_xss
Status: new

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L