GHSA-xgx4-2wgv-4jhm: PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel

March 20, 2026

The multiVariableText property panel in @pdfme/schemas constructs HTML via string concatenation and assigns it to innerHTML using unsanitized i18n label values. An attacker who can control label overrides passed through options.labels can inject arbitrary JavaScript that executes in the context of any user who opens the Designer and selects a multiVariableText field with no {variables} in its text.

References

github.com/advisories/GHSA-xgx4-2wgv-4jhm
github.com/pdfme/pdfme
github.com/pdfme/pdfme/security/advisories/GHSA-xgx4-2wgv-4jhm

Code Behaviors & Features

Detect and mitigate GHSA-xgx4-2wgv-4jhm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →