CVE-2026-31898
Published: 18 March 2026
Summary
CVE-2026-31898 is a high-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Parall Jspdf. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires updating jsPDF to version 4.2.1, which patches the improper input validation in createAnnotation to prevent arbitrary PDF object injection.
Information input validation enforces sanitization of user-controlled arguments like the color parameter before passing to createAnnotation, directly blocking injection of JavaScript actions.
Prohibiting unsupported jsPDF versions prior to 4.2.1 prevents deployment of components vulnerable to this input validation flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables generation of PDFs containing injected JavaScript actions via unsanitized input to createAnnotation; resulting malicious PDF files execute JS on open (T1204.002), are commonly delivered via spearphishing attachments (T1566.001), and leverage JavaScript for execution (T1059.007).
NVD Description
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input…
more
to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.
Deeper analysisAI
CVE-2026-31898 is an improper input validation vulnerability in the jsPDF JavaScript library, which generates PDFs in browser or Node.js environments. Versions prior to 4.2.1 are affected, specifically in the `createAnnotation` method where user-controlled arguments, such as the `color` parameter, enable injection of arbitrary PDF objects including JavaScript actions. This stems from CWE-116 (Improper Encoding or Escaping of Output) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). The issue was published on 2026-03-18.
An attacker can exploit this vulnerability by providing malicious, unsanitized input to the `createAnnotation` method during PDF generation. No privileges are required, and exploitation is network-accessible with low complexity, but it demands user interaction, such as a developer or end-user processing the tainted input. Successful injection embeds JavaScript actions in the resulting PDF, which can execute upon opening or interacting with the document, potentially compromising confidentiality and integrity through actions like data exfiltration or unauthorized modifications.
The vulnerability is fixed in jsPDF version 4.2.1, as detailed in the project's release notes, fix commit, and security advisory (GHSA-7x6v-j9x4-qf24). Mitigation involves updating to the patched version; as a workaround, sanitize all user input before passing it to the `createAnnotation` method or related APIs. Source code affected areas are in `src/modules/annotations.js` lines 193-208.
Details
- CWE(s)