Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-wg74-rver-pqa7
Vulnerability ID VCID-wg74-rver-pqa7
Aliases CVE-2026-24040
GHSA-cjw8-79x6-5cj4
Summary jsPDF has Shared State Race Condition in addJS Plugin The addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. ```js import { jsPDF } from "jspdf"; const docA = new jsPDF(); const docB = new jsPDF(); // 1. User A sets their script (stored in shared 'text' variable) docA.addJS('console.log("Secret A");'); // 2. User B sets their script (overwrites shared 'text' variable) docB.addJS('console.log("Secret B");'); // 3. User A saves their PDF (reads current 'text' variable) docA.save("userA.pdf"); // Result: userA.pdf contains "Secret B" instead of "Secret A" ```
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-820 Missing Synchronization
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24040.json
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-24040
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-24040
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-24040
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-24040
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-24040
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-cjw8-79x6-5cj4
cvssv4 6.3 https://github.com/parallax/jsPDF
generic_textual MODERATE https://github.com/parallax/jsPDF
cvssv4 6.3 https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e
generic_textual MODERATE https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e
ssvc Track https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e
cvssv4 6.3 https://github.com/parallax/jsPDF/releases/tag/v4.1.0
generic_textual MODERATE https://github.com/parallax/jsPDF/releases/tag/v4.1.0
ssvc Track https://github.com/parallax/jsPDF/releases/tag/v4.1.0
cvssv3.1_qr MODERATE https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4
cvssv4 6.3 https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4
generic_textual MODERATE https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4
ssvc Track https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4
cvssv4 6.3 https://nvd.nist.gov/vuln/detail/CVE-2026-24040
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-24040
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24040.json
https://api.first.org/data/v1/epss?cve=CVE-2026-24040
https://github.com/parallax/jsPDF
https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e
https://github.com/parallax/jsPDF/releases/tag/v4.1.0
2436133 https://bugzilla.redhat.com/show_bug.cgi?id=2436133
CVE-2026-24040 https://nvd.nist.gov/vuln/detail/CVE-2026-24040
GHSA-cjw8-79x6-5cj4 https://github.com/advisories/GHSA-cjw8-79x6-5cj4
GHSA-cjw8-79x6-5cj4 https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4
RHSA-2026:4466 https://access.redhat.com/errata/RHSA-2026:4466
RHSA-2026:4467 https://access.redhat.com/errata/RHSA-2026:4467
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24040.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parallax/jsPDF
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:29:49Z/ Found at https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parallax/jsPDF/releases/tag/v4.1.0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:29:49Z/ Found at https://github.com/parallax/jsPDF/releases/tag/v4.1.0
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-03T15:29:49Z/ Found at https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-24040
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.03464
EPSS Score 0.00015
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:49:50.045531+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/jspdf/CVE-2026-24040.yml 38.6.0