Cyber Resilience

CVE-2026-25940

HighUpdated

Published: 19 February 2026

Published
19 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0034 26.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25940 is a high-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Parall Jspdf. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Attachment (T1566.001); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25940 affects jsPDF, a JavaScript library for generating PDFs, in versions prior to 4.2.0. The vulnerability stems from user-controlled properties and methods in the Acroform module, enabling the injection of arbitrary PDF objects, such as JavaScript actions. This improper input validation (CWE-116) allows attackers to embed malicious content when unsanitized user input is passed to vulnerable API members.

Attackers can exploit this remotely with low complexity and no privileges required, but it necessitates user interaction. By supplying crafted input to the affected Acroform properties, an attacker generates a PDF where JavaScript actions execute upon the victim hovering over a radio option. This yields high impacts on confidentiality and integrity (CVSS 8.1: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), potentially leading to data theft or manipulation via the executed JavaScript.

The jsPDF security advisory (GHSA-p5xg-68wr-hm3m), release notes for v4.2.0, and fixing commit (71ad2dbfa6c7c189ab42b855b782620fa8a38375) confirm the issue was patched in version 4.2.0. As a mitigation, developers should sanitize user input before passing it to vulnerable Acroform API members and upgrade to jsPDF 4.2.0 or later.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized…

more

input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.001 Spearphishing Attachment Initial Access
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vulnerability in PDF generation library enables creation of PDFs containing injected JavaScript actions; these can be delivered as spearphishing attachments (T1566.001) that execute when a user opens the file and interacts with form elements (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31898Same product: Parall Jspdf
CVE-2026-24737Same product: Parall Jspdf
CVE-2026-25755Same product: Parall Jspdf
CVE-2025-68428Same product: Parall Jspdf
CVE-2025-29907Same product: Parall Jspdf
CVE-2026-31938Same product: Parall Jspdf
CVE-2026-25535Same product: Parall Jspdf
CVE-2025-15312Shared CWE-116
CVE-2026-34480Shared CWE-116
CVE-2026-34483Shared CWE-116

Affected Assets

parall
jspdf
≤ 4.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of user inputs before passing to jsPDF Acroform properties, directly preventing arbitrary PDF object injection as specified in the vulnerability description and workaround.

prevent

SI-2 mandates timely flaw remediation by upgrading jsPDF to version 4.2.0 or later, eliminating the improper input validation vulnerability.

prevent

SI-15 provides output filtering for generated PDFs to strip or block injected JavaScript actions, mitigating execution on victim hover.

References