greprules.io
Sign inSubmit rule
Explore/cve-2026-25940-jspdf-acroform-pdf-injection

CVE-2026-25940: Jspdf Acroform Pdf Injection

Unsanitized assignment to jsPDF AcroForm properties `appearanceState` or `AS` can lead to arbitrary PDF object injection. Attackers can leverage this to execute malicious actions (such as embedded JavaScript) within the context of the PDF viewer. Update jsPDF to version 4.2.0 or later, or properly escape input (e.g., removing PDF structural characters like '

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0javascript
greprules fetch cve-2026-25940-jspdf-acroform-pdf-injection --engine opengrep

Description

Unsanitized assignment to jsPDF AcroForm properties `appearanceState` or `AS` can lead to arbitrary PDF object injection. Attackers can leverage this to execute malicious actions (such as embedded JavaScript) within the context of the PDF viewer. Update jsPDF to version 4.2.0 or later, or properly escape input (e.g., removing PDF structural characters like '

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
115 downloads0 direct115 via packs
· 0 stars · Trust score 65How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata