CVE-2026-31898
HIGH 8.1jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.
Affected Applications in Environment
13
Parallels Desktop
v20.1.2 (55742)
1 device
Parallels Desktop
v26.2.0 (57363)
1 device
Parallels Desktop
v20.0.0 (55653)
1 device
Parallels Desktop
v26.3.0 (57392)
2 devices
Parallels Desktop
v26.3.0 (57363)
1 device
Parallels Desktop
v26.2.2 (57373)
5 devices
Parallels Desktop
v1.20.4 (23908)
2 devices
Parallels Desktop
v26.2.2 (57293)
1 device
Parallels Desktop
v1.26.2 (23919)
1 device
Parallels Desktop
v26.1.2 (57293)
2 devices
Parallels Desktop
v26.3.0 (57373)
1 device
Parallels Desktop
v18.3.4 (53630)
2 devices
Parallels Desktop
v20.2.2 (55879)
1 device
Affected Devices
17
Barbara-Wilkinsons-iMac-27.local
Mac
EOP-MBP-3.local
Mac
F-16
Mac
a00017110-J7TV3C9HW5
Mac
a00596491-HK02DWTXXR
Mac
a00983376-G09J49PM70
Mac
a01662531-GX0LV9N9N0
Mac
a01841079-LK4T0Y7FP4
Mac
a02038137-Q1J07Y3V07
Mac
a02213466-C2V9D4WYJM
Mac
a02273006-FV4CYP2NJ3
Mac
a02324477-RR73X1VHHP
Mac
a02388352-LQ22WMQLKF
Mac
a02460298-NF236KX9TJ
Mac
a02480849-L4V042QWGK
Mac
cehsadmin's MacBook Pro-C02CK7K4MD6M
Mac
murftastic.local
Mac
References
4
- https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208
- https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8
- https://github.com/parallax/jsPDF/releases/tag/v4.2.1
- https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24