CVE-2026-31938
Published: 18 March 2026
Summary
CVE-2026-31938 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Parall Jspdf. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires identifying, reporting, and correcting system flaws, directly addressing this CVE by patching jsPDF to the fixed version 4.2.1.
SI-10 mandates validation of information inputs, preventing attackers from injecting malicious options into the unsanitized jsPDF output function.
SI-15 enforces filtering of information outputs, mitigating injection of arbitrary HTML/scripts into the generated PDF opened in the browser context.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in jsPDF output() enables arbitrary JS execution in browser (T1059.007) and exploitation of a network-accessible web app/library (T1190).
NVD Description
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is…
more
opened in. The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) to the attack victim. The victim creates and opens a PDF with the attack vector using one of the vulnerable method overloads inside their browser. The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context. The vulnerability has been fixed in jspdf@4.2.1. As a workaround, sanitize user input before passing it to the output method.
Deeper analysisAI
CVE-2026-31938 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the jsPDF JavaScript library for generating PDFs in versions prior to 4.2.1. The issue stems from insufficient sanitization of the user-controlled `options` argument passed to the `output` function, enabling attackers to inject arbitrary HTML, including scripts, into the browser context where the generated PDF is opened. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L), reflecting its high severity due to network accessibility, low attack complexity, and potential for significant confidentiality, integrity, and availability impacts.
An attacker can exploit this vulnerability by supplying malicious values for the `output` options, for instance through a web interface where users submit parameters. These unsanitized values are then passed—either automatically or semi-automatically—to a victim who uses one of the vulnerable `output` method overloads to create and open the PDF in their browser. Successful exploitation allows the injected scripts to execute in the victim's browser context, enabling the attacker to extract or modify sensitive data from that context.
The jsPDF security advisory (GHSA-wfv2-pwc8-crg5), release notes for version 4.2.1, and the fixing commit (87a40bbd07e6b30575196370670b41f264aa78d7) confirm the vulnerability has been patched in jsPDF 4.2.1. As a workaround, developers should sanitize all user input before passing it to the `output` method.
Details
- CWE(s)