CVE-2026-25755

Name: CVE-2026-25755
Creator: NVD / NIST
Published: 2026-02-19T15:16:12.303+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 0.63%

Last modified Jun 17, 2026

CVE-2026-25755 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. EPSS estimates a 0.63% chance of exploitation in the next 30 days.

Description

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability

0.63%

45.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Parall	Jspdf	< 4.2.0

References

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.mdExploit, Mitigation, Third Party Advisory
https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437Patch
https://github.com/parallax/jsPDF/releases/tag/v4.2.0Release Notes
https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprpVendor Advisory

Timeline

Published: Feb 19, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-25755?

How severe is CVE-2026-25755?

CVE-2026-25755 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.63% probability of exploitation in the next 30 days.

How do I fix CVE-2026-25755?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-25755?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST