CVE-2026-31938:

Overview

A critical security vulnerability, tracked as CVE-2026-31938, has been discovered in the popular jsPDF library. This library is widely used by web applications to generate PDF documents directly in the browser. The flaw allows an attacker to inject malicious HTML, including scripts, into a PDF document. When a victim opens this PDF, the attacker’s code can run in the victim’s browser, leading to a complete compromise of their session within that web application.

Vulnerability Details

The vulnerability resides in the output function of jsPDF. If an attacker can control the options argument passed to this function-for example, through a form field or API parameter that is not properly sanitized-they can embed arbitrary HTML. This tainted data flows unsanitized into the PDF generation process.

In a typical attack scenario, an attacker submits crafted data through a web interface. This data is then passed automatically to a backend or another user who uses it to generate a PDF. When the victim opens the generated PDF in their browser, the attacker’s hidden scripts execute. This type of exploit is often a precursor to significant data breaches, similar to those documented in our breach reports.

Impact and Risks

With a Critical CVSS score of 9.6, this vulnerability poses a severe threat. Successful exploitation allows an attacker to:

• Steal sensitive session cookies and authentication tokens.
• Perform actions within the web application as the victim user (session hijacking).
• Extract or modify confidential data viewed by the user.
• Redirect the user to malicious websites.

The risk is particularly high for applications that generate PDFs from user-supplied content, such as report generators, invoice systems, or document portals. The attack happens client-side, meaning the malicious script runs with the same permissions as the victim on the vulnerable web page.

Remediation and Mitigation

Immediate action is required to secure affected applications.

Primary Fix: Update the Library The maintainers have released a fix in jsPDF version 4.2.1. All developers using this library must upgrade their project dependencies to this version or later without delay.

Workaround: Input Sanitization If an immediate update is not possible, you must implement strict input validation and sanitization. Any user-controlled data that will be passed to the jsPDF.output() function must be thoroughly cleansed of all HTML and JavaScript constructs before processing. Treat this data as untrusted and apply robust output encoding.

Recommendations for Administrators and Users

• Developers: Audit your code for all uses of jsPDF.output() and identify any paths where user input influences the options parameter.
• End-Users: Be cautious when opening PDFs generated by web applications, especially if they involve user-submitted data. Encourage your software providers to confirm they have applied this patch.

For ongoing updates on such critical vulnerabilities, follow our security news section.