Home > Vulnerability Database > CVE-2026-24043

Mend.io Vulnerability Database

CVE-2026-24043

Good to know:

Date: February 2, 2026

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.

Severity Score

5.8

Related Resources (6)

Url: https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24043

Url: https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422

Url: https://github.com/parallax/jsPDF

Url: https://github.com/parallax/jsPDF/releases/tag/v4.1.0

Url: https://www.mend.io/vulnerability-database/CVE-2026-24043

Severity Score

5.8

Weakness Type (CWE)

Improper Input Validation

CWE-20

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

Upgrade Version

Upgrade to version jspdf - 4.1.0;https://github.com/parallax/jsPDF.git - v4.1.0

Learn More

CVSS v3.1

Base Score:	5.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24043

Good to know:

Date: February 2, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?