Npm/@Pdfme/Schemas | GitLab Advisory Database (GLAD)

PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel

The multiVariableText property panel in @pdfme/schemas constructs HTML via string concatenation and assigns it to innerHTML using unsanitized i18n label values. An attacker who can control label overrides passed through options.labels can inject arbitrary JavaScript that executes in the context of any user who opens the Designer and selects a multiVariableText field with no {variables} in its text.

Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas

The SVG schema plugin in @pdfme/schemas renders user-supplied SVG content using container.innerHTML = value without any sanitization, enabling arbitrary JavaScript execution in the user's browser.

Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas

The Select schema plugin in @pdfme/schemas constructs HTML from template-defined option values using unsanitized string interpolation and sets it via innerHTML, enabling arbitrary JavaScript execution.

Advisories for Npm/@Pdfme/Schemas package