CVE-2026-24737
Published: 02 February 2026
Summary
CVE-2026-24737 is a high-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Parall Jspdf. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through updating jsPDF to version 4.1.0, which patches the improper input handling in Acroform APIs.
Requires validation of user inputs passed to vulnerable jsPDF Acroform methods like addOption and setOptions to prevent injection of arbitrary PDF objects such as JavaScript actions.
Filters the generated PDF output to block malicious content like injected JavaScript actions resulting from improper encoding or escaping in the Acroform module.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web PDF generation library allows remote injection of malicious JS actions into PDFs via unsanitized input (enables T1190); resulting PDFs execute actions on victim open (enables T1204.002).
NVD Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized…
more
input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0.
Deeper analysisAI
CVE-2026-24737 is a high-severity vulnerability in the jsPDF JavaScript library, which is used to generate PDFs in web applications, prior to version 4.1.0. The issue stems from improper input handling in the Acroform module, allowing user-controlled properties and methods—specifically AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState—to inject arbitrary PDF objects, such as JavaScript actions. Published on 2026-02-02, it is rated 8.1 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-116 (Improper Encoding or Escaping of Output).
An attacker can exploit this vulnerability by supplying unsanitized input to the affected APIs during PDF generation in a web context. This enables the creation of a malicious PDF that executes injected JavaScript actions when opened by a victim in a PDF reader, requiring user interaction such as clicking to open the file. Remote attackers need no privileges and face low complexity, potentially achieving high impacts on confidentiality and integrity, such as data theft or manipulation within the victim's environment.
Mitigation is provided in jsPDF version 4.1.0, which patches the vulnerable API members. Security advisories recommend updating to this version immediately. Details are available in the GitHub security advisory (GHSA-pqxr-3g65-p328), release notes for v4.1.0, and the fixing commit (da291a5f01b96282545c9391996702cdb8879f79).
Details
- CWE(s)