CVE-2026-25940
Published: 19 February 2026
Summary
CVE-2026-25940 is a high-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Parall Jspdf. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Attachment (T1566.001); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user inputs before passing to jsPDF Acroform properties, directly preventing arbitrary PDF object injection as specified in the vulnerability description and workaround.
SI-2 mandates timely flaw remediation by upgrading jsPDF to version 4.2.0 or later, eliminating the improper input validation vulnerability.
SI-15 provides output filtering for generated PDFs to strip or block injected JavaScript actions, mitigating execution on victim hover.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in PDF generation library enables creation of PDFs containing injected JavaScript actions; these can be delivered as spearphishing attachments (T1566.001) that execute when a user opens the file and interacts with form elements (T1204.002).
NVD Description
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized…
more
input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.
Deeper analysisAI
CVE-2026-25940 affects jsPDF, a JavaScript library for generating PDFs, in versions prior to 4.2.0. The vulnerability stems from user-controlled properties and methods in the Acroform module, enabling the injection of arbitrary PDF objects, such as JavaScript actions. This improper input validation (CWE-116) allows attackers to embed malicious content when unsanitized user input is passed to vulnerable API members.
Attackers can exploit this remotely with low complexity and no privileges required, but it necessitates user interaction. By supplying crafted input to the affected Acroform properties, an attacker generates a PDF where JavaScript actions execute upon the victim hovering over a radio option. This yields high impacts on confidentiality and integrity (CVSS 8.1: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), potentially leading to data theft or manipulation via the executed JavaScript.
The jsPDF security advisory (GHSA-p5xg-68wr-hm3m), release notes for v4.2.0, and fixing commit (71ad2dbfa6c7c189ab42b855b782620fa8a38375) confirm the issue was patched in version 4.2.0. As a mitigation, developers should sanitize user input before passing it to vulnerable Acroform API members and upgrade to jsPDF 4.2.0 or later.
Details
- CWE(s)