CVE-2026-31898

Description

### Impact User control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with.. * `createAnnotation`: `color` parameter Example attack vector: ```js import { jsPDF } from 'jspdf' const doc = new jsPDF(); const payload = '000000) /AA <</E <</S /Launch /F (calc.exe)>>>> ('; doc.createAnnotation({ type: 'freetext', bounds: { x: 10, y: 10, w: 120, h: 20 }, contents: 'hello', color: payload }); doc.save('test.pdf'); ``` ### Patches The vulnerability has been fixed in jsPDF@4.2.1. ### Workarounds Sanitize user input before passing it to the vulnerable API members.

How to fix CVE-2026-31898

To remediate CVE-2026-31898, upgrade the affected package to a fixed version below.

• —upgrade to 4.2.1 or later

Is CVE-2026-31898 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 4.2.1

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-31898
• PATCHgithub.com/parallax/jsPDF
• WEBgithub.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208
• WEBgithub.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8