CVE-2026-25940
jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)
Description
### Impact User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. * `AcroformChildClass.appearanceState` Example attack vector: ```js import { jsPDF } from "jspdf" const doc = new jsPDF(); const group = new doc.AcroFormRadioButton(); group.x = 10; group.y = 10; group.width = 20; group.height = 10; doc.addField(group); const child = group.createOption("opt1"); child.x = 10; child.y = 10; child.width = 20; child.height = 10; child.appearanceState = "Off /AA << /E << /S /JavaScript /JS (app.alert('XSS')) >> >>"; doc.save("test.pdf"); ``` ### Patches The vulnerability has been fixed in jsPDF@4.2.0. ### Workarounds Sanitize user input before passing it to the vulnerable API members.
How to fix CVE-2026-25940
To remediate CVE-2026-25940, upgrade the affected package to a fixed version below.
- —upgrade to 4.2.0 or later
Is CVE-2026-25940 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|