PatchSiren cyber security CVE debrief
CVE-2026-24737 parallax CVE debrief
The CVE-2026-24737 vulnerability is a high-severity issue in the jsPDF library, which allows users to inject arbitrary PDF objects, such as JavaScript actions, when given the possibility to pass unsanitized input to certain methods or properties of the Acroform module. This can occur when a user has the ability to pass unsanitized input to one of the following methods or properties: AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in [email protected]. Users of the jsPDF library should update to version 4.1.0 or later to mitigate this vulnerability. The vulnerability has a CVSS score of 8.1 and is considered high-severity. The CVE was published on February 2, 2026, and last modified on June 30, 2026.
- Vendor
- parallax
- Product
- jsPDF
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-02
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-02
- Advisory updated
- 2026-06-30
Who should care
Developers and users of the jsPDF library should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 4.1.0 or later, and being cautious when passing user input to the Acroform module. Additionally, users of Red Hat products that utilize the jsPDF library may be affected and should review the relevant errata and security advisories.
Technical summary
The CVE-2026-24737 vulnerability is caused by a lack of proper sanitization of user input in the jsPDF library's Acroform module. This allows users to inject arbitrary PDF objects, such as JavaScript actions, which can be executed when the victim opens the document. The vulnerability affects versions of jsPDF prior to 4.1.0. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.
Defensive priority
High-priority defensive actions are recommended to mitigate this vulnerability. Developers should update the jsPDF library to version 4.1.0 or later, and be cautious when passing user input to the Acroform module.
Recommended defensive actions
- Update the jsPDF library to version 4.1.0 or later
- Review and sanitize user input to the Acroform module
- Implement additional security measures to prevent exploitation
- Review Red Hat errata and security advisories for affected products
- Monitor for suspicious activity and implement incident response plans
Evidence notes
The CVE-2026-24737 vulnerability was published on February 2, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 8.1 and is considered high-severity. The vulnerability affects versions of jsPDF prior to 4.1.0. Red Hat has released errata and security advisories for affected products.
Official resources
-
CVE-2026-24737 CVE record
CVE.org
-
CVE-2026-24737 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.