{"url":"http://public2.vulnerablecode.io/api/packages/463066?format=json","purl":"pkg:npm/jspdf@1.5.1","type":"npm","namespace":"","name":"jspdf","version":"1.5.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.2.1","latest_non_vulnerable_version":"4.2.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/330971?format=json","vulnerability_id":"VCID-34a8-xfbm-a7ce","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7690","reference_id":"","reference_type":"","scores":[{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46442","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46587","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46598","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46584","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7690"},{"reference_url":"https://github.com/MrRio/jsPDF/issues/2795","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MrRio/jsPDF/issues/2795"},{"reference_url":"https://github.com/parallax/jsPDF/issues/2862","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF/issues/2862"},{"reference_url":"https://github.com/parallax/jsPDF/issues/2971","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF/issues/2971"},{"reference_url":"https://github.com/parallax/jsPDF/pull/2806","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF/pull/2806"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7690","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7690"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-575260","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-575260"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-575258","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-575258"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMRRIO-575259","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMRRIO-575259"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-575257","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-575257"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-JSPDF-575256","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-JSPDF-575256"},{"reference_url":"https://github.com/advisories/GHSA-vh59-v9r5-4mh4","reference_id":"GHSA-vh59-v9r5-4mh4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vh59-v9r5-4mh4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/383663?format=json","purl":"pkg:npm/jspdf@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7drx-9wnd-pkcx"},{"vulnerability":"VCID-c93r-5dvr-c7ek"},{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"},{"vulnerability":"VCID-mzjd-s1np-3fbu"},{"vulnerability":"VCID-p2ne-tbdk-d3eg"},{"vulnerability":"VCID-q9q5-qhbk-mfe1"},{"vulnerability":"VCID-r3u7-b4rp-hbhq"},{"vulnerability":"VCID-sxg3-931u-zbds"},{"vulnerability":"VCID-uzbs-4h45-4fb2"},{"vulnerability":"VCID-w2dh-z1yj-bud7"},{"vulnerability":"VCID-yanu-z2m8-5bap"},{"vulnerability":"VCID-zq4y-g7a2-kqf4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@2.0.0"}],"aliases":["CVE-2020-7690","GHSA-vh59-v9r5-4mh4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-34a8-xfbm-a7ce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65770?format=json","vulnerability_id":"VCID-7drx-9wnd-pkcx","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By crafting a payload that escapes the JavaScript string delimiter, an attacker can execute malicious actions or alter the document structure, impacting any user who opens the generated PDF. The vulnerability has been fixed in jspdf@4.2.0. As a workaround, escape parentheses in user-provided JavaScript code before passing them to the `addJS` method.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25755.json","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25755.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25755","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07699","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07675","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07711","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07706","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25755"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440993","reference_id":"2440993","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440993"},{"reference_url":"https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437","reference_id":"56b46d45b052346f5995b005a34af5dcdddd5437","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-19T17:07:08Z/"}],"url":"https://github.com/parallax/jsPDF/commit/56b46d45b052346f5995b005a34af5dcdddd5437"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25755","reference_id":"CVE-2026-25755","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25755"},{"reference_url":"https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md","reference_id":"CVE-2026-25755.md","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-19T17:07:08Z/"}],"url":"https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25755.md"},{"reference_url":"https://github.com/advisories/GHSA-9vjf-qc39-jprp","reference_id":"GHSA-9vjf-qc39-jprp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9vjf-qc39-jprp"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp","reference_id":"GHSA-9vjf-qc39-jprp","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-19T17:07:08Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-9vjf-qc39-jprp"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7110","reference_id":"RHSA-2026:7110","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7110"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7128","reference_id":"RHSA-2026:7128","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7128"},{"reference_url":"https://github.com/parallax/jsPDF/releases/tag/v4.2.0","reference_id":"v4.2.0","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-19T17:07:08Z/"}],"url":"https://github.com/parallax/jsPDF/releases/tag/v4.2.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39426?format=json","purl":"pkg:npm/jspdf@4.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@4.2.0"}],"aliases":["CVE-2026-25755","GHSA-9vjf-qc39-jprp"],"risk_score":4.3,"exploitability":"0.5","weighted_severity":"8.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7drx-9wnd-pkcx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/330972?format=json","vulnerability_id":"VCID-bzhd-k1g6-k3as","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7691","reference_id":"","reference_type":"","scores":[{"value":"0.00228","scoring_system":"epss","scoring_elements":"0.45697","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00228","scoring_system":"epss","scoring_elements":"0.45844","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00228","scoring_system":"epss","scoring_elements":"0.45852","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00228","scoring_system":"epss","scoring_elements":"0.45838","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-7691"},{"reference_url":"https://github.com/MrRio/jsPDF/commit/d0323215b1a1cd1c35bf2b213274ae1e4797715d","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MrRio/jsPDF/commit/d0323215b1a1cd1c35bf2b213274ae1e4797715d"},{"reference_url":"https://github.com/MrRio/jsPDF/issues/2971","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MrRio/jsPDF/issues/2971"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7691","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7691"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-575255","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-575255"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-575253","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-575253"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMRRIO-575254","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMRRIO-575254"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-575252","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-575252"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-JSPDF-568273","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-JSPDF-568273"},{"reference_url":"https://github.com/advisories/GHSA-3q6f-8grx-pr4v","reference_id":"GHSA-3q6f-8grx-pr4v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3q6f-8grx-pr4v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/383663?format=json","purl":"pkg:npm/jspdf@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7drx-9wnd-pkcx"},{"vulnerability":"VCID-c93r-5dvr-c7ek"},{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"},{"vulnerability":"VCID-mzjd-s1np-3fbu"},{"vulnerability":"VCID-p2ne-tbdk-d3eg"},{"vulnerability":"VCID-q9q5-qhbk-mfe1"},{"vulnerability":"VCID-r3u7-b4rp-hbhq"},{"vulnerability":"VCID-sxg3-931u-zbds"},{"vulnerability":"VCID-uzbs-4h45-4fb2"},{"vulnerability":"VCID-w2dh-z1yj-bud7"},{"vulnerability":"VCID-yanu-z2m8-5bap"},{"vulnerability":"VCID-zq4y-g7a2-kqf4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/488672?format=json","purl":"pkg:npm/jspdf@2.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7drx-9wnd-pkcx"},{"vulnerability":"VCID-c93r-5dvr-c7ek"},{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"},{"vulnerability":"VCID-mzjd-s1np-3fbu"},{"vulnerability":"VCID-p2ne-tbdk-d3eg"},{"vulnerability":"VCID-q9q5-qhbk-mfe1"},{"vulnerability":"VCID-r3u7-b4rp-hbhq"},{"vulnerability":"VCID-sxg3-931u-zbds"},{"vulnerability":"VCID-uzbs-4h45-4fb2"},{"vulnerability":"VCID-w2dh-z1yj-bud7"},{"vulnerability":"VCID-yanu-z2m8-5bap"},{"vulnerability":"VCID-zq4y-g7a2-kqf4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@2.2.0"}],"aliases":["CVE-2020-7691","GHSA-3q6f-8grx-pr4v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bzhd-k1g6-k3as"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121183?format=json","vulnerability_id":"VCID-c93r-5dvr-c7ek","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service. The vulnerability was fixed in jsPDF 3.0.2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57810.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-57810.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57810","reference_id":"","reference_type":"","scores":[{"value":"0.00261","scoring_system":"epss","scoring_elements":"0.49794","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50189","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50192","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00264","scoring_system":"epss","scoring_elements":"0.50208","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57810"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57810","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57810"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2391077","reference_id":"2391077","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2391077"},{"reference_url":"https://github.com/parallax/jsPDF/pull/3880","reference_id":"3880","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-26T15:58:22Z/"}],"url":"https://github.com/parallax/jsPDF/pull/3880"},{"reference_url":"https://github.com/parallax/jsPDF/commit/4cf3ab619e565d9b88b4b130bff901b91d8688e9","reference_id":"4cf3ab619e565d9b88b4b130bff901b91d8688e9","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-26T15:58:22Z/"}],"url":"https://github.com/parallax/jsPDF/commit/4cf3ab619e565d9b88b4b130bff901b91d8688e9"},{"reference_url":"https://github.com/advisories/GHSA-8mvj-3j78-4qmw","reference_id":"GHSA-8mvj-3j78-4qmw","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8mvj-3j78-4qmw"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-8mvj-3j78-4qmw","reference_id":"GHSA-8mvj-3j78-4qmw","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-26T15:58:22Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-8mvj-3j78-4qmw"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6226","reference_id":"RHSA-2026:6226","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6226"},{"reference_url":"https://github.com/parallax/jsPDF/releases/tag/v3.0.2","reference_id":"v3.0.2","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-26T15:58:22Z/"}],"url":"https://github.com/parallax/jsPDF/releases/tag/v3.0.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377770?format=json","purl":"pkg:npm/jspdf@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7drx-9wnd-pkcx"},{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"},{"vulnerability":"VCID-mzjd-s1np-3fbu"},{"vulnerability":"VCID-p2ne-tbdk-d3eg"},{"vulnerability":"VCID-q9q5-qhbk-mfe1"},{"vulnerability":"VCID-r3u7-b4rp-hbhq"},{"vulnerability":"VCID-uzbs-4h45-4fb2"},{"vulnerability":"VCID-w2dh-z1yj-bud7"},{"vulnerability":"VCID-yanu-z2m8-5bap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@3.0.2"}],"aliases":["CVE-2025-57810","GHSA-8mvj-3j78-4qmw"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c93r-5dvr-c7ek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71367?format=json","vulnerability_id":"VCID-e3t3-9khr-kyhb","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) to the attack victim. The victim creates and opens a PDF with the attack vector using one of the vulnerable method overloads inside their browser. The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context. The vulnerability has been fixed in jspdf@4.2.1. As a workaround, sanitize user input before passing it to the output method.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31938.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31938.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31938","reference_id":"","reference_type":"","scores":[{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16154","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.1628","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16297","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16309","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31938"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31938","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31938"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448550","reference_id":"2448550","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448550"},{"reference_url":"https://github.com/parallax/jsPDF/commit/87a40bbd07e6b30575196370670b41f264aa78d7","reference_id":"87a40bbd07e6b30575196370670b41f264aa78d7","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T13:59:39Z/"}],"url":"https://github.com/parallax/jsPDF/commit/87a40bbd07e6b30575196370670b41f264aa78d7"},{"reference_url":"https://github.com/advisories/GHSA-wfv2-pwc8-crg5","reference_id":"GHSA-wfv2-pwc8-crg5","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wfv2-pwc8-crg5"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-wfv2-pwc8-crg5","reference_id":"GHSA-wfv2-pwc8-crg5","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T13:59:39Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-wfv2-pwc8-crg5"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7110","reference_id":"RHSA-2026:7110","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7110"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7128","reference_id":"RHSA-2026:7128","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7128"},{"reference_url":"https://github.com/parallax/jsPDF/releases/tag/v4.2.1","reference_id":"v4.2.1","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T13:59:39Z/"}],"url":"https://github.com/parallax/jsPDF/releases/tag/v4.2.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374733?format=json","purl":"pkg:npm/jspdf@4.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@4.2.1"}],"aliases":["CVE-2026-31938","GHSA-wfv2-pwc8-crg5"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e3t3-9khr-kyhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71422?format=json","vulnerability_id":"VCID-fn9a-xgb4-vfb8","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with the `createAnnotation`: `color` parameter. The vulnerability has been fixed in jsPDF@4.2.1. As a workaround, sanitize user input before passing it to the vulnerable API members.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31898.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31898.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31898","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14796","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14825","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14706","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14827","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31898"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31898","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31898"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448547","reference_id":"2448547","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448547"},{"reference_url":"https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8","reference_id":"4155c4819d5eca284168e51e0e1e81126b4f14b8","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T14:00:36Z/"}],"url":"https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8"},{"reference_url":"https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208","reference_id":"annotations.js#L193-L208","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T14:00:36Z/"}],"url":"https://github.com/parallax/jsPDF/blob/b1607a9391d4cd65ea7ade25998aea8345ae1be3/src/modules/annotations.js#L193-L208"},{"reference_url":"https://github.com/advisories/GHSA-7x6v-j9x4-qf24","reference_id":"GHSA-7x6v-j9x4-qf24","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7x6v-j9x4-qf24"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24","reference_id":"GHSA-7x6v-j9x4-qf24","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T14:00:36Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7110","reference_id":"RHSA-2026:7110","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7110"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7128","reference_id":"RHSA-2026:7128","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7128"},{"reference_url":"https://github.com/parallax/jsPDF/releases/tag/v4.2.1","reference_id":"v4.2.1","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T14:00:36Z/"}],"url":"https://github.com/parallax/jsPDF/releases/tag/v4.2.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374733?format=json","purl":"pkg:npm/jspdf@4.2.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@4.2.1"}],"aliases":["CVE-2026-31898","GHSA-7x6v-j9x4-qf24"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fn9a-xgb4-vfb8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83192?format=json","vulnerability_id":"VCID-mzjd-s1np-3fbu","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24040.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24040.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24040","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03476","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03462","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03472","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03458","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24040"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436133","reference_id":"2436133","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436133"},{"reference_url":"https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e","reference_id":"2863e5c26afef211a545e8c174ab4d5fce3b8c0e","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:29:49Z/"}],"url":"https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24040","reference_id":"CVE-2026-24040","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24040"},{"reference_url":"https://github.com/advisories/GHSA-cjw8-79x6-5cj4","reference_id":"GHSA-cjw8-79x6-5cj4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cjw8-79x6-5cj4"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4","reference_id":"GHSA-cjw8-79x6-5cj4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:29:49Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4466","reference_id":"RHSA-2026:4466","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4466"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4467","reference_id":"RHSA-2026:4467","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4467"},{"reference_url":"https://github.com/parallax/jsPDF/releases/tag/v4.1.0","reference_id":"v4.1.0","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:29:49Z/"}],"url":"https://github.com/parallax/jsPDF/releases/tag/v4.1.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38496?format=json","purl":"pkg:npm/jspdf@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7drx-9wnd-pkcx"},{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"},{"vulnerability":"VCID-uzbs-4h45-4fb2"},{"vulnerability":"VCID-w2dh-z1yj-bud7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@4.1.0"}],"aliases":["CVE-2026-24040","GHSA-cjw8-79x6-5cj4"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mzjd-s1np-3fbu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93334?format=json","vulnerability_id":"VCID-p2ne-tbdk-d3eg","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68428.json","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-68428.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68428","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09259","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09267","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09269","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09214","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68428"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2427236","reference_id":"2427236","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2427236"},{"reference_url":"https://github.com/parallax/jsPDF/commit/a688c8f479929b24a6543b1fa2d6364abb03066d","reference_id":"a688c8f479929b24a6543b1fa2d6364abb03066d","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:22Z/"}],"url":"https://github.com/parallax/jsPDF/commit/a688c8f479929b24a6543b1fa2d6364abb03066d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68428","reference_id":"CVE-2025-68428","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68428"},{"reference_url":"https://github.com/advisories/GHSA-f8cm-6447-x5h2","reference_id":"GHSA-f8cm-6447-x5h2","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f8cm-6447-x5h2"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2","reference_id":"GHSA-f8cm-6447-x5h2","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:22Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:1517","reference_id":"RHSA-2026:1517","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:1517"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2350","reference_id":"RHSA-2026:2350","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2350"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2568","reference_id":"RHSA-2026:2568","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2568"},{"reference_url":"https://github.com/parallax/jsPDF/releases/tag/v4.0.0","reference_id":"v4.0.0","reference_type":"","scores":[{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-06T15:35:22Z/"}],"url":"https://github.com/parallax/jsPDF/releases/tag/v4.0.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36512?format=json","purl":"pkg:npm/jspdf@4.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7drx-9wnd-pkcx"},{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"},{"vulnerability":"VCID-mzjd-s1np-3fbu"},{"vulnerability":"VCID-q9q5-qhbk-mfe1"},{"vulnerability":"VCID-r3u7-b4rp-hbhq"},{"vulnerability":"VCID-uzbs-4h45-4fb2"},{"vulnerability":"VCID-w2dh-z1yj-bud7"},{"vulnerability":"VCID-yanu-z2m8-5bap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@4.0.0"}],"aliases":["CVE-2025-68428","GHSA-f8cm-6447-x5h2"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p2ne-tbdk-d3eg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83160?format=json","vulnerability_id":"VCID-q9q5-qhbk-mfe1","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24737.json","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24737.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24737","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06776","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06793","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06804","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06786","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24737"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436115","reference_id":"2436115","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436115"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24737","reference_id":"CVE-2026-24737","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24737"},{"reference_url":"https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79","reference_id":"da291a5f01b96282545c9391996702cdb8879f79","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-03T15:07:06Z/"}],"url":"https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79"},{"reference_url":"https://github.com/advisories/GHSA-pqxr-3g65-p328","reference_id":"GHSA-pqxr-3g65-p328","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pqxr-3g65-p328"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328","reference_id":"GHSA-pqxr-3g65-p328","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-03T15:07:06Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4466","reference_id":"RHSA-2026:4466","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4466"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:4467","reference_id":"RHSA-2026:4467","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:4467"},{"reference_url":"https://github.com/parallax/jsPDF/releases/tag/v4.1.0","reference_id":"v4.1.0","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-03T15:07:06Z/"}],"url":"https://github.com/parallax/jsPDF/releases/tag/v4.1.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38496?format=json","purl":"pkg:npm/jspdf@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7drx-9wnd-pkcx"},{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"},{"vulnerability":"VCID-uzbs-4h45-4fb2"},{"vulnerability":"VCID-w2dh-z1yj-bud7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@4.1.0"}],"aliases":["CVE-2026-24737","GHSA-pqxr-3g65-p328"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q9q5-qhbk-mfe1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/82903?format=json","vulnerability_id":"VCID-r3u7-b4rp-hbhq","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24043.json","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24043.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24043","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05333","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05349","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05343","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05331","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24043"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436149","reference_id":"2436149","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436149"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24043","reference_id":"CVE-2026-24043","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24043"},{"reference_url":"https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff","reference_id":"efe54bf50f3f5e5416b2495e3c24624fc80b6cff","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:20:54Z/"}],"url":"https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff"},{"reference_url":"https://github.com/advisories/GHSA-vm32-vv63-w422","reference_id":"GHSA-vm32-vv63-w422","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vm32-vv63-w422"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422","reference_id":"GHSA-vm32-vv63-w422","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:20:54Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422"},{"reference_url":"https://github.com/parallax/jsPDF/releases/tag/v4.1.0","reference_id":"v4.1.0","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:20:54Z/"}],"url":"https://github.com/parallax/jsPDF/releases/tag/v4.1.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38496?format=json","purl":"pkg:npm/jspdf@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7drx-9wnd-pkcx"},{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"},{"vulnerability":"VCID-uzbs-4h45-4fb2"},{"vulnerability":"VCID-w2dh-z1yj-bud7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@4.1.0"}],"aliases":["CVE-2026-24043","GHSA-vm32-vv63-w422"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r3u7-b4rp-hbhq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/335405?format=json","vulnerability_id":"VCID-sxg3-931u-zbds","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23353","reference_id":"","reference_type":"","scores":[{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71904","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71989","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.72002","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00674","scoring_system":"epss","scoring_elements":"0.71998","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23353"},{"reference_url":"https://github.com/MrRio/jsPDF/commit/d8bb3b39efcd129994f7a3b01b632164144ec43e","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MrRio/jsPDF/commit/d8bb3b39efcd129994f7a3b01b632164144ec43e"},{"reference_url":"https://github.com/MrRio/jsPDF/pull/3091","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MrRio/jsPDF/pull/3091"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23353","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23353"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1083289","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1083289"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1083287","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1083287"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMRRIO-1083288","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMRRIO-1083288"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1083286","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1083286"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-JSPDF-1073626","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-JSPDF-1073626"},{"reference_url":"https://github.com/advisories/GHSA-57f3-gghm-9mhc","reference_id":"GHSA-57f3-gghm-9mhc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-57f3-gghm-9mhc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/383060?format=json","purl":"pkg:npm/jspdf@2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7drx-9wnd-pkcx"},{"vulnerability":"VCID-c93r-5dvr-c7ek"},{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"},{"vulnerability":"VCID-mzjd-s1np-3fbu"},{"vulnerability":"VCID-p2ne-tbdk-d3eg"},{"vulnerability":"VCID-q9q5-qhbk-mfe1"},{"vulnerability":"VCID-r3u7-b4rp-hbhq"},{"vulnerability":"VCID-uzbs-4h45-4fb2"},{"vulnerability":"VCID-w2dh-z1yj-bud7"},{"vulnerability":"VCID-yanu-z2m8-5bap"},{"vulnerability":"VCID-zq4y-g7a2-kqf4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@2.3.1"}],"aliases":["CVE-2021-23353","GHSA-57f3-gghm-9mhc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sxg3-931u-zbds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66276?format=json","vulnerability_id":"VCID-uzbs-4h45-4fb2","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in jsPDF@4.2.0. As a workaround, sanitize user input before passing it to the vulnerable API members.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25940.json","reference_id":"","reference_type":"","scores":[{"value":"9.6","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25940.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25940","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13215","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13241","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13235","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13138","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25940"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441016","reference_id":"2441016","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441016"},{"reference_url":"https://github.com/parallax/jsPDF/commit/71ad2dbfa6c7c189ab42b855b782620fa8a38375","reference_id":"71ad2dbfa6c7c189ab42b855b782620fa8a38375","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-19T17:07:05Z/"}],"url":"https://github.com/parallax/jsPDF/commit/71ad2dbfa6c7c189ab42b855b782620fa8a38375"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25940","reference_id":"CVE-2026-25940","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25940"},{"reference_url":"https://github.com/advisories/GHSA-p5xg-68wr-hm3m","reference_id":"GHSA-p5xg-68wr-hm3m","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p5xg-68wr-hm3m"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m","reference_id":"GHSA-p5xg-68wr-hm3m","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-19T17:07:05Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-p5xg-68wr-hm3m"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7110","reference_id":"RHSA-2026:7110","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7110"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7128","reference_id":"RHSA-2026:7128","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7128"},{"reference_url":"https://github.com/parallax/jsPDF/releases/tag/v4.2.0","reference_id":"v4.2.0","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-19T17:07:05Z/"}],"url":"https://github.com/parallax/jsPDF/releases/tag/v4.2.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39426?format=json","purl":"pkg:npm/jspdf@4.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@4.2.0"}],"aliases":["CVE-2026-25940","GHSA-p5xg-68wr-hm3m"],"risk_score":4.3,"exploitability":"0.5","weighted_severity":"8.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uzbs-4h45-4fb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65955?format=json","vulnerability_id":"VCID-w2dh-z1yj-bud7","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the `addImage` method, a user can provide a harmful GIF file that results in out of memory errors and denial of service. Harmful GIF files have large width and/or height entries in their headers, which lead to excessive memory allocation. Other affected methods are: `html`. The vulnerability has been fixed in jsPDF 4.2.0. As a workaround, sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25535.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25535.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25535","reference_id":"","reference_type":"","scores":[{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24604","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24414","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24608","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24619","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25535"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440992","reference_id":"2440992","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2440992"},{"reference_url":"https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e6","reference_id":"2e5e156e284d92c7d134bce97e6418756941d5e6","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T16:03:04Z/"}],"url":"https://github.com/parallax/jsPDF/commit/2e5e156e284d92c7d134bce97e6418756941d5e6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25535","reference_id":"CVE-2026-25535","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25535"},{"reference_url":"https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md","reference_id":"CVE-2026-25535.md","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T16:03:04Z/"}],"url":"https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-25535.md"},{"reference_url":"https://github.com/advisories/GHSA-67pg-wm7f-q7fj","reference_id":"GHSA-67pg-wm7f-q7fj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-67pg-wm7f-q7fj"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj","reference_id":"GHSA-67pg-wm7f-q7fj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T16:03:04Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-67pg-wm7f-q7fj"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7110","reference_id":"RHSA-2026:7110","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7110"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7128","reference_id":"RHSA-2026:7128","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7128"},{"reference_url":"https://github.com/parallax/jsPDF/releases/tag/v4.2.0","reference_id":"v4.2.0","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-19T16:03:04Z/"}],"url":"https://github.com/parallax/jsPDF/releases/tag/v4.2.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39426?format=json","purl":"pkg:npm/jspdf@4.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@4.2.0"}],"aliases":["CVE-2026-25535","GHSA-67pg-wm7f-q7fj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w2dh-z1yj-bud7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83196?format=json","vulnerability_id":"VCID-yanu-z2m8-5bap","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in jsPDF@4.1.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24133.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24133.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24133","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12399","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12419","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.1241","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.1232","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24133"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436135","reference_id":"2436135","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436135"},{"reference_url":"https://github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d","reference_id":"ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:16:10Z/"}],"url":"https://github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24133","reference_id":"CVE-2026-24133","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24133"},{"reference_url":"https://github.com/advisories/GHSA-95fx-jjr5-f39c","reference_id":"GHSA-95fx-jjr5-f39c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-95fx-jjr5-f39c"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c","reference_id":"GHSA-95fx-jjr5-f39c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:16:10Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c"},{"reference_url":"https://github.com/parallax/jsPDF/releases/tag/v4.1.0","reference_id":"v4.1.0","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:16:10Z/"}],"url":"https://github.com/parallax/jsPDF/releases/tag/v4.1.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38496?format=json","purl":"pkg:npm/jspdf@4.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7drx-9wnd-pkcx"},{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"},{"vulnerability":"VCID-uzbs-4h45-4fb2"},{"vulnerability":"VCID-w2dh-z1yj-bud7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@4.1.0"}],"aliases":["CVE-2026-24133","GHSA-95fx-jjr5-f39c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yanu-z2m8-5bap"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/108677?format=json","vulnerability_id":"VCID-zq4y-g7a2-kqf4","summary":"jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.1, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitised image urls to the addImage method, a user can provide a harmful data-url that results in high CPU utilization and denial of service. Other affected methods are html and addSvgAsImage. The vulnerability was fixed in jsPDF 3.0.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-29907","reference_id":"","reference_type":"","scores":[{"value":"0.00466","scoring_system":"epss","scoring_elements":"0.64966","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00466","scoring_system":"epss","scoring_elements":"0.64971","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00466","scoring_system":"epss","scoring_elements":"0.64858","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00466","scoring_system":"epss","scoring_elements":"0.64958","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-29907"},{"reference_url":"https://github.com/parallax/jsPDF","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/parallax/jsPDF"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29907","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29907"},{"reference_url":"https://github.com/parallax/jsPDF/commit/b167c43c27c466eb914b927885b06073708338df","reference_id":"b167c43c27c466eb914b927885b06073708338df","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-18T18:58:49Z/"}],"url":"https://github.com/parallax/jsPDF/commit/b167c43c27c466eb914b927885b06073708338df"},{"reference_url":"https://github.com/advisories/GHSA-w532-jxjh-hjhj","reference_id":"GHSA-w532-jxjh-hjhj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w532-jxjh-hjhj"},{"reference_url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-w532-jxjh-hjhj","reference_id":"GHSA-w532-jxjh-hjhj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-18T18:58:49Z/"}],"url":"https://github.com/parallax/jsPDF/security/advisories/GHSA-w532-jxjh-hjhj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377891?format=json","purl":"pkg:npm/jspdf@3.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7drx-9wnd-pkcx"},{"vulnerability":"VCID-c93r-5dvr-c7ek"},{"vulnerability":"VCID-e3t3-9khr-kyhb"},{"vulnerability":"VCID-fn9a-xgb4-vfb8"},{"vulnerability":"VCID-mzjd-s1np-3fbu"},{"vulnerability":"VCID-p2ne-tbdk-d3eg"},{"vulnerability":"VCID-q9q5-qhbk-mfe1"},{"vulnerability":"VCID-r3u7-b4rp-hbhq"},{"vulnerability":"VCID-uzbs-4h45-4fb2"},{"vulnerability":"VCID-w2dh-z1yj-bud7"},{"vulnerability":"VCID-yanu-z2m8-5bap"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@3.0.1"}],"aliases":["CVE-2025-29907","GHSA-w532-jxjh-hjhj"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zq4y-g7a2-kqf4"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/jspdf@1.5.1"}