npm package
jspdf
pkg:npm/jspdf
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-31938 | — | < 4.2.1 | 4.2.1 | Mar 18, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be e | ||
| CVE-2026-31898 | — | < 4.2.1 | 4.2.1 | Mar 18, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following meth | ||
| CVE-2026-25940 | — | < 4.2.0 | 4.2.0 | Feb 19, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following pr | ||
| CVE-2026-25755 | — | < 4.2.0 | 4.2.0 | Feb 19, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker ca | ||
| CVE-2026-25535 | — | < 4.2.0 | 4.2.0 | Feb 19, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF | ||
| CVE-2026-24040 | — | < 4.1.0 | 4.1.0 | Feb 2, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared | ||
| CVE-2026-24043 | — | < 4.1.0 | 4.1.0 | Feb 2, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP me | ||
| CVE-2026-24133 | — | < 4.1.0 | 4.1.0 | Feb 2, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file | ||
| CVE-2026-24737 | — | < 4.1.0 | 4.1.0 | Feb 2, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following me | ||
| CVE-2025-68428 | — | < 4.0.0 | 4.0.0 | Jan 5, 2026 | jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user | ||
| CVE-2025-57810 | — | < 3.0.2 | 3.0.2 | Aug 26, 2025 | jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provid | ||
| CVE-2025-29907 | — | < 3.0.1 | 3.0.1 | Mar 18, 2025 | jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.1, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitised image urls to the addImage method, a user can provide a harm | ||
| CVE-2021-23353 | — | < 2.3.1 | 2.3.1 | Mar 9, 2021 | This affects the package jspdf before 2.3.1. ReDoS is possible via the addImage function. | ||
| CVE-2020-7690 | — | < 2.0.0 | 2.0.0 | Jul 6, 2020 | All affected versions <2.0.0 of package jspdf are vulnerable to Cross-site Scripting (XSS). It is possible to inject JavaScript code via the html method. | ||
| CVE-2020-7691 | — | < 2.0.0 | 2.0.0 | Jul 6, 2020 | In all versions of the package jspdf, it is possible to use <script> in order to go over the filtering regex. |
- CVE-2026-31938Mar 18, 2026affected < 4.2.1fixed 4.2.1
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be e
- CVE-2026-31898Mar 18, 2026affected < 4.2.1fixed 4.2.1
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following meth
- CVE-2026-25940Feb 19, 2026affected < 4.2.0fixed 4.2.0
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following pr
- CVE-2026-25755Feb 19, 2026affected < 4.2.0fixed 4.2.0
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker ca
- CVE-2026-25535Feb 19, 2026affected < 4.2.0fixed 4.2.0
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF
- CVE-2026-24040Feb 2, 2026affected < 4.1.0fixed 4.1.0
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared
- CVE-2026-24043Feb 2, 2026affected < 4.1.0fixed 4.1.0
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP me
- CVE-2026-24133Feb 2, 2026affected < 4.1.0fixed 4.1.0
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file
- CVE-2026-24737Feb 2, 2026affected < 4.1.0fixed 4.1.0
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following me
- CVE-2025-68428Jan 5, 2026affected < 4.0.0fixed 4.0.0
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user
- CVE-2025-57810Aug 26, 2025affected < 3.0.2fixed 3.0.2
jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provid
- CVE-2025-29907Mar 18, 2025affected < 3.0.1fixed 3.0.1
jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.1, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitised image urls to the addImage method, a user can provide a harm
- CVE-2021-23353Mar 9, 2021affected < 2.3.1fixed 2.3.1
This affects the package jspdf before 2.3.1. ReDoS is possible via the addImage function.
- CVE-2020-7690Jul 6, 2020affected < 2.0.0fixed 2.0.0
All affected versions <2.0.0 of package jspdf are vulnerable to Cross-site Scripting (XSS). It is possible to inject JavaScript code via the html method.
- CVE-2020-7691Jul 6, 2020affected < 2.0.0fixed 2.0.0
In all versions of the package jspdf, it is possible to use <script> in order to go over the filtering regex.