SCA: security update for jspdf (GHSA-p5xg-68wr-hm3m)

critical Tenable Cloud Security Plugin ID 437899

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods
of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given
the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary
PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option.
The vulnerability has been fixed in [email protected]. As a workaround, sanitize user input before passing it to
the vulnerable API members. (CVE-2026-25940)

Solution

Update the jspdf library and its related packages to version 4.2.0 or later.

See Also

https://github.com/advisories/GHSA-p5xg-68wr-hm3m

Plugin Details

Severity: Critical

ID: 437899

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 2/20/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.16

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2026-25940

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/19/2026

Vulnerability Publication Date: 2/19/2026

Reference Information

CVE: CVE-2026-25940

cwe: CWE-116