CVE-2026-31938 Overview
CVE-2026-31938 is a Cross-Site Scripting (XSS) vulnerability [CWE-79] in jsPDF, a widely used JavaScript library for generating PDF files in the browser. Versions prior to 4.2.1 allow attackers to control the options argument of the output function and inject arbitrary HTML, including script payloads, into the browser context where the resulting PDF is opened. The flaw stems from unsanitized handling of user-supplied option values that flow into the rendered output. Attackers who can influence these values can execute scripts in the victim's browser session and read or modify sensitive data accessible to that origin.
Critical Impact
Attackers can inject scripts that run in the victim's browser context, enabling theft or modification of secrets accessible to that origin.
Affected Products
- jsPDF versions prior to 4.2.1 (parall:jspdf on Node.js)
- Web applications that pass user-controlled values to the output method options
- Browser contexts that open PDFs generated through vulnerable jsPDF method overloads
Discovery Timeline
- 2026-03-18 - CVE-2026-31938 published to the National Vulnerability Database (NVD)
- 2026-03-18 - Last updated in NVD database
- Fix released - jsPDF 4.2.1 published with the sanitization patch (GitHub Release v4.2.1)
Technical Details for CVE-2026-31938
Vulnerability Analysis
The vulnerability resides in jsPDF's output function, which accepts an options argument used by several method overloads. When an application forwards attacker-controlled values into these options without sanitization, jsPDF embeds them into HTML structures rendered when the PDF is opened in the browser. This produces a reflected Cross-Site Scripting (XSS) condition tied to the page that hosts or opens the generated PDF.
Exploitation requires user interaction, because the victim must trigger PDF creation and open it in their browser. Once opened, injected <script> content executes under the origin of the host page. The Common Weakness Enumeration (CWE) classification is [CWE-79], Improper Neutralization of Input During Web Page Generation.
Root Cause
jsPDF concatenates values from the output options into HTML markup without escaping or validating them. Strings containing tag delimiters and script content survive into the rendered DOM, where the browser parses them as executable code rather than as data.
Attack Vector
An attacker submits crafted option values, typically through a web form or API that feeds jsPDF on the client side. The victim's application passes those values automatically or semi-automatically into the output method. When the victim generates and opens the PDF, the injected HTML executes in their browser context, granting the attacker access to cookies, tokens, and DOM state available to the hosting origin.
No verified public proof-of-concept is published. Technical specifics are documented in the upstream advisory GHSA-wfv2-pwc8-crg5 and the corrective commit 87a40bb.
Detection Methods for CVE-2026-31938
Indicators of Compromise
- Unexpected <script>, <iframe>, or event-handler attributes appearing in HTML wrappers around generated PDFs
- Outbound browser requests to unfamiliar domains shortly after a user generates or previews a PDF
- Application logs showing option fields (filename, title, metadata) containing HTML tag characters such as <, >, or javascript:
Detection Strategies
- Inventory client-side dependencies and flag any application bundling jspdf at a version below 4.2.1
- Inspect application code paths that call doc.output(...) for tainted data flow from HTTP parameters, form fields, or stored user content
- Add Content Security Policy (CSP) reporting to surface inline script execution in pages that host jsPDF output
Monitoring Recommendations
- Monitor web application logs for option parameters containing HTML or script syntax
- Alert on browser CSP violation reports originating from PDF preview or download pages
- Track Software Composition Analysis (SCA) findings for parall:jspdf across CI/CD pipelines and runtime workloads
How to Mitigate CVE-2026-31938
Immediate Actions Required
- Upgrade jspdf to version 4.2.1 or later across all front-end and Node.js projects
- Audit every invocation of the output method and verify the source of each option value
- Apply server-side and client-side sanitization to any user input that reaches PDF generation logic
Patch Information
The maintainers fixed the issue in jsPDF 4.2.1. The corrective change is recorded in commit 87a40bb and published in the GitHub Release v4.2.1. Upgrading is the recommended remediation.
Workarounds
- Sanitize user input before passing it to the output method, stripping HTML tags and dangerous attributes
- Restrict which option fields accept user-supplied values; use server-generated values for metadata such as filenames and titles
- Enforce a strict Content Security Policy that blocks inline scripts on pages that render or host generated PDFs
# Configuration example: upgrade jsPDF to the patched version
npm install jspdf@^4.2.1
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
