PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-24737 parallax CVE debrief

The CVE-2026-24737 vulnerability is a high-severity issue in the jsPDF library, which allows users to inject arbitrary PDF objects, such as JavaScript actions, when given the possibility to pass unsanitized input to certain methods or properties of the Acroform module. This can occur when a user has the ability to pass unsanitized input to one of the following methods or properties: AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in [email protected]. Users of the jsPDF library should update to version 4.1.0 or later to mitigate this vulnerability. The vulnerability has a CVSS score of 8.1 and is considered high-severity. The CVE was published on February 2, 2026, and last modified on June 30, 2026.

Vendor
parallax
Product
jsPDF
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-02
Original CVE updated
2026-06-30
Advisory published
2026-02-02
Advisory updated
2026-06-30

Who should care

Developers and users of the jsPDF library should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 4.1.0 or later, and being cautious when passing user input to the Acroform module. Additionally, users of Red Hat products that utilize the jsPDF library may be affected and should review the relevant errata and security advisories.

Technical summary

The CVE-2026-24737 vulnerability is caused by a lack of proper sanitization of user input in the jsPDF library's Acroform module. This allows users to inject arbitrary PDF objects, such as JavaScript actions, which can be executed when the victim opens the document. The vulnerability affects versions of jsPDF prior to 4.1.0. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.

Defensive priority

High-priority defensive actions are recommended to mitigate this vulnerability. Developers should update the jsPDF library to version 4.1.0 or later, and be cautious when passing user input to the Acroform module.

Recommended defensive actions

  • Update the jsPDF library to version 4.1.0 or later
  • Review and sanitize user input to the Acroform module
  • Implement additional security measures to prevent exploitation
  • Review Red Hat errata and security advisories for affected products
  • Monitor for suspicious activity and implement incident response plans

Evidence notes

The CVE-2026-24737 vulnerability was published on February 2, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 8.1 and is considered high-severity. The vulnerability affects versions of jsPDF prior to 4.1.0. Red Hat has released errata and security advisories for affected products.

Official resources

This article is AI-assisted and based on the supplied source corpus.