GHSA-87v3-4cfp-cm76: Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas

March 18, 2026

The SVG schema plugin in @pdfme/schemas renders user-supplied SVG content using container.innerHTML = value without any sanitization, enabling arbitrary JavaScript execution in the user’s browser.

References

github.com/advisories/GHSA-87v3-4cfp-cm76
github.com/pdfme/pdfme
github.com/pdfme/pdfme/security/advisories/GHSA-87v3-4cfp-cm76

Code Behaviors & Features

Detect and mitigate GHSA-87v3-4cfp-cm76 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →