ON 6 February 2026, security researchers warned about two high‑severity vulnerabilities in jsPDF, a library used to generate PDFs in the browser. The flaws, CVE-2026-24737 and CVE-2026-24133, could let attackers inject arbitrary PDF objects through the AcroForm module or cause a DoS by processing harmful BMP files with oversized headers.
The AcroForm vulnerability arises when unsanitised user input reaches API members such as AcroformChoiceField[.]addOption or AcroFormCheckBox[.]appearanceState, enabling malicious JavaScript to run when a document is opened. The second flaw targets BMPDecoder[.]addImage, where a “harmful BMP file” can trigger excessive memory allocation and crash the application or browser tab.
The maintainers have addressed both issues in the latest release, with a strong recommendation to upgrade to jspdf@ >=4.1.0; in the meantime, developers should sanitise user input and validate image data before processing, according to GitHub security advisories GHSA-pqxr-3g65-p328.