Home > Vulnerability Database > CVE-2026-24737

Mend.io Vulnerability Database

CVE-2026-24737

Good to know:

Date: February 2, 2026

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0.

Severity Score

8.1

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24737

Url: https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328

Url: https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79

Url: https://github.com/parallax/jsPDF

Url: https://github.com/parallax/jsPDF/releases/tag/v4.1.0

Url: https://www.mend.io/vulnerability-database/CVE-2026-24737

Severity Score

8.1

Weakness Type (CWE)

Improper Encoding or Escaping of Output

CWE-116

Top Fix

Upgrade Version

Upgrade to version jspdf - 4.1.0;https://github.com/parallax/jsPDF.git - v4.1.0

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24737

Good to know:

Date: February 2, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?