Invisible Ink: Critical 9.6 CVSS jsPDF Flaw Turns Generated Documents into XSS Traps

A critical-severity vulnerability has been identified in jsPDF, the popular JavaScript library used by developers worldwide to generate PDF documents directly in the browser. The flaw, designated CVE-2026-31938 with a CVSS score of 9.6, could allow attackers to inject and execute malicious scripts within a user’s browser context.

The vulnerability resides in how the library handles the options argument within its output() function. When a developer allows user-provided values to reach this function without proper sanitization, an attacker can craft a payload that breaks out of the intended data structure and injects arbitrary HTML.

Several specific overloads and options have been identified as vulnerable:

• “pdfobjectnewwindow”: Both the pdfObjectUrl and the entire options object are susceptible, as they are JSON-serialized and included verbatim in the generated HTML string.
• “pdfjsnewwindow”: The pdfJsUrl and filename options are affected.
• “dataurlnewwindow”: The filename option serves as an entry point for injection.

“The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context”.

The advisory describes a plausible attack scenario where an attacker provides malicious values via a web interface. These values are then passed unsanitized to a victim, who unknowingly creates and opens a PDF using one of the vulnerable method overloads.

In a documented example, a payload as simple as ‘x\”></iframe><script>window._n=1</script><iframe src=”‘ can be used within the filename option to trigger script execution the moment the PDF is generated and opened in a new window.

Organizations and developers using jsPDF are urged to take immediate action. The vulnerability impacts all versions up to and including v4.2.0.

The vulnerability has been officially patched in jsPDF version 4.2.1. Upgrading to this version is the most effective defense.

If an immediate update is not possible, developers must manually sanitize any user-controlled input before passing it to the output() method.