Home / Vulnerability Intelligence / CVE-2026-31938

CVE-2026-31938 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: March 18, 2026

jsPDF - Stored XSS

Published: March 18, 2026Updated: March 18, 2026Remote Exploitable

Overview

jsPDF < 4.2.1 contains a stored XSS caused by unsanitized user control of the options argument in the output function, letting attackers inject arbitrary scripts in the victim's browser context, exploit requires victim to create and open a crafted PDF.

Severity & Score

Severity: Critical

CVSS Score: 9.6

EPSS Score: 3.7%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary scripts in the victim's browser, potentially stealing or modifying sensitive information.

Mitigation

Update to version 4.2.1 or later; sanitize user input before passing to output method.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 18, 2026

🔴 CVE-2026-31938 - Critical (9.6) jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is open... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31938/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-31938
Severity: Critical
CVSS Score: 9.6
Type: stored_xss
Status: confirmed
EPSS: 3.7%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

EPSS Score

3.7%Probability of exploitation in the next 30 days