CVE-2026-31898Parall · Jspdf
Vulnerability data via NVD (ingested)
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-31898product:"Parall Jspdf"http.html:"Jspdf"More intel sources (5)
vuln:CVE-2026-31898vulnerabilities.cve_id: CVE-2026-31898CVE-2026-31898CVE-2026-31898"CVE-2026-31898" exploit -site:nvd.nist.gov