GHSA-qq9g-96v4-m3cj: Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas

March 18, 2026

The Select schema plugin in @pdfme/schemas constructs HTML from template-defined option values using unsanitized string interpolation and sets it via innerHTML, enabling arbitrary JavaScript execution.

References

github.com/advisories/GHSA-qq9g-96v4-m3cj
github.com/pdfme/pdfme
github.com/pdfme/pdfme/security/advisories/GHSA-qq9g-96v4-m3cj

Code Behaviors & Features

Detect and mitigate GHSA-qq9g-96v4-m3cj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →