Cyber Resilience

CVE-2026-31898

HighRCEUpdated

Published: 18 March 2026

Published
18 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0027 19.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31898 is a high-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Parall Jspdf. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-31898 is an improper input validation vulnerability in the jsPDF JavaScript library, which generates PDFs in browser or Node.js environments. Versions prior to 4.2.1 are affected, specifically in the `createAnnotation` method where user-controlled arguments, such as the `color` parameter, enable injection of arbitrary PDF objects including JavaScript actions. This stems from CWE-116 (Improper Encoding or Escaping of Output) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). The issue was published on 2026-03-18.

An attacker can exploit this vulnerability by providing malicious, unsanitized input to the `createAnnotation` method during PDF generation. No privileges are required, and exploitation is network-accessible with low complexity, but it demands user interaction, such as a developer or end-user processing the tainted input. Successful injection embeds JavaScript actions in the resulting PDF, which can execute upon opening or interacting with the document, potentially compromising confidentiality and integrity through actions like data exfiltration or unauthorized modifications.

The vulnerability is fixed in jsPDF version 4.2.1, as detailed in the project's release notes, fix commit, and security advisory (GHSA-7x6v-j9x4-qf24). Mitigation involves updating to the patched version; as a workaround, sanitize all user input before passing it to the `createAnnotation` method or related APIs. Source code affected areas are in `src/modules/annotations.js` lines 193-208.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input…

more

to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1566.001 Spearphishing Attachment Initial Access
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Vulnerability enables generation of PDFs containing injected JavaScript actions via unsanitized input to createAnnotation; resulting malicious PDF files execute JS on open (T1204.002), are commonly delivered via spearphishing attachments (T1566.001), and leverage JavaScript for execution (T1059.007).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25940Same product: Parall Jspdf
CVE-2026-24737Same product: Parall Jspdf
CVE-2026-25755Same product: Parall Jspdf
CVE-2026-31938Same product: Parall Jspdf
CVE-2025-68428Same product: Parall Jspdf
CVE-2025-29907Same product: Parall Jspdf
CVE-2026-25535Same product: Parall Jspdf
CVE-2025-15312Shared CWE-116
CVE-2026-34480Shared CWE-116
CVE-2026-34483Shared CWE-116

Affected Assets

parall
jspdf
≤ 4.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires updating jsPDF to version 4.2.1, which patches the improper input validation in createAnnotation to prevent arbitrary PDF object injection.

prevent

Information input validation enforces sanitization of user-controlled arguments like the color parameter before passing to createAnnotation, directly blocking injection of JavaScript actions.

prevent

Prohibiting unsupported jsPDF versions prior to 4.2.1 prevents deployment of components vulnerable to this input validation flaw.

References