Security Vulnerability Report
中文
CVE-2026-22787 CVSS 6.1 MEDIUM

CVE-2026-22787

Published: 2026-01-14 17:16:09
Last Modified: 2026-03-12 18:15:23
Source: [email protected]

Description

html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in [email protected].

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:ekoopmans:html2pdf.js:*:*:*:*:*:node.js:*:* - VULNERABLE
html2pdf.js < 0.14.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import html2pdf from 'html2pdf.js'; // PoC: 恶意文本通过html2pdf.js执行XSS const maliciousText = '<img src=x onerror="alert(document.cookie)">'; html2pdf().from(maliciousText).save();

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22787", "sourceIdentifier": "[email protected]", "published": "2026-01-14T17:16:09.290", "lastModified": "2026-03-12T18:15:22.800", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in [email protected]."}, {"lang": "es", "value": "html2pdf.js convierte cualquier página web o elemento en un PDF imprimible completamente del lado del cliente. Antes de 0.14.0, html2pdf.js contiene una vulnerabilidad de cross-site scripting (XSS) cuando se le proporciona una fuente de texto en lugar de un elemento. Este texto no se sanea suficientemente antes de ser adjuntado al DOM, permitiendo que se ejecuten scripts maliciosos en el navegador del cliente y poniendo en riesgo la confidencialidad, integridad y disponibilidad de los datos de la página. Esta vulnerabilidad ha sido corregida en [email protected]."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ekoopmans:html2pdf.js:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "0.14.0", "matchCriteriaId": "C8E68496-D208-41FC-9032-437EE15C8395"}]}]}], "references": [{"url": "https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/eKoopmans/html2pdf.js/issues/865", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/eKoopmans/html2pdf.js/pull/877", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://aydinnyunus.github.io/2026/01/17/cve-2026-22787-html2pdf-xss-vulnerability/", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.