15 matches found
CVE-2025-29907
CVE-2025-29907 — jsPDF DoS via addImage argument : In jsPDF, prior to 3.0.1, user control of the first argument to addImage can trigger high CPU utilization and denial of service when unsanitised image URLs/data-urls are passed. The vulnerability also affects html and addSvgAsImage in relevant co...
CVE-2021-23353
The CVE-2021-23353 entry concerns jspdf before version 2.3.1, where a Regular Expression Denial of Service (ReDoS) is possible via the addImage function. Multiple sources (NVD, Node.js advisory, GitHub advisory, OSV, Veracode, CVE list) confirm the affected component and the vulnerability class. ...
CVE-2020-7690
CVE-2020-7690 affects jspdf versions before 2.0.0, where the html() method can be used to inject JavaScript via XSS. Affected software is jspdf prior to 2.0.0; the vulnerability enables executing injected scripts in user-controlled contexts. The Red Hat, GitHub Advisory, npm Advisory, and CVE rec...
CVE-2020-7691
CVE-2020-7691 : Multiple sources confirm a cross-site scripting (XSS) vulnerability in jspdf affecting all versions. The issue arises from inability to filter/validate nested script tags such as <[removed]script>, allowing injection of arbitrary JavaScript in the browser. Remediation: upgra...
CVE-2025-68428
Summary of CVE-2025-68428 (jsPDF): The Node.js builds of jsPDF (dist/jspdf.node.js and dist/jspdf.node.min.js) prior to 4.0.0 allow local file inclusion/path traversal by passing unsanitized paths to loadFile and certain other methods (addImage, html, addFont). The file contents are embedded verb...
CVE-2025-57810
CVE-2025-57810 affects the jsPDF library. The issue arises when user control of the first argument to addImage allows untrusted image data/URLs to trigger high CPU usage, leading to denial of service. This vulnerability is present in versions prior to 3.0.2 and was fixed in jsPDF 3.0.2. Impact is...
CVE-2026-24133
The CVE-2026-24133 issue affects jsPDF (prior to 4.1.0) where user control of the first addImage argument allows denial of service when processing unvalidated BMP data or URLs, including via the html method. Harmful BMP headers with large width/height trigger excessive memory allocations, leading...
CVE-2026-24737
The CVE concerns jsPDF prior to 4.1.0, where control over Acroform module properties/methods (notably AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState) allowed injection of arbitrary PDF objects, including Jav...
CVE-2026-25755
jsPDF before version 4.2.0 is vulnerable in the addJS method: user-controlled argument can inject arbitrary PDF objects by escaping the JavaScript string delimiter, potentially executing actions or altering the document when opened. The issue is fixed in [email protected] (and newer 4.2.1 per IBM bulle...
CVE-2026-25535
CVE-2026-25535 affects jsPDF (prior to 4.2.0). If the first argument to addImage (and other affected methods like html) can be controlled with unsanitized image data or URLs, a malicious GIF with large width/height entries can trigger excessive memory allocation, causing out-of-memory and denial ...
CVE-2026-31898
Summary (CVE-2026-31898) jsPDF prior to 4.2.1 is affected by a PDF Object Injection flaw in the color parameter of createAnnotation. When unsanitized user input is passed to this API, an attacker could inject arbitrary PDF objects, including JavaScript actions, which may execute when the PDF is o...
CVE-2026-25940
CVE-2026-25940 affects jsPDF prior to version 4.2.0, where user control of AcroForm module properties/methods lets an attacker inject arbitrary PDF objects (e.g., JavaScript actions). This could trigger code execution or malicious behavior when a PDF is opened or hovered, depending on the viewer....
CVE-2026-31938
jsPDF prior to 4.2.1 is vulnerable: unsanitized user input passed to the output method’s options can inject HTML/scripts into the browser context when a PDF is opened. The issue is triggered when an attacker provides values via a web interface, which are forwarded to the victim’s browser and proc...
CVE-2026-24040
The CVE-2026-24040 issue affects jspdf in versions prior to 4.1.0, where the addJS method uses a module-scoped shared variable to store JavaScript content. In concurrent environments (notably Node.js servers), this shared state can be overwritten by simultaneous requests, causing cross-user data ...
CVE-2026-24043
The CVE-2026-24043 issue affects the jsPDF library prior to version 4.1.0, where input passed to addMetadata can inject arbitrary XML/XMP metadata into the generated PDF. This XML injection can compromise PDF integrity if the document is later signed, stored, or processed, as noted across multipl...