CVE-2026-24043
jsPDF Affected by Stored XMP Metadata Injection (Spoofing & Integrity Violation)jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in [email protected].
We have discovered 5,803 live websites that are affected by CVE-2026-24043.
Affected Software
| Product | |
| Category | JavaScript Libraries |
| Vulnerable Domains | 5,803 live websites (100% of jspdf install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 28 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')Details
- Published - Feb 2, 2026
- Updated - Feb 3, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-24043 United States | 2,366 websites |
 Germany | 313 websites |
 France | 256 websites |
 Brazil | 237 websites |
 India | 237 websites |
 GB | 208 websites |
 Canada | 142 websites |
 Italy | 135 websites |
 Russia | 133 websites |
 Slovakia | 129 websites |
Website Distribution by TLD
Number of websites using CVE-2026-24043| .com | 2,371 websites |
| .org | 416 websites |
| .com.br | 164 websites |
| .net | 156 websites |
| .de | 153 websites |
| .ru | 118 websites |
| .fr | 112 websites |
| .it | 108 websites |
| .nl | 100 websites |
| .co.uk | 99 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-24043
Top websites that are affected by CVE-2026-24043. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ****.org |  Switzerland | **,*** | |
| *************************.***.es |  Spain | **,*** | |
| *******.com | United States | **,*** | |
| ********.gov | United States | **,*** | |
| ***********.com | United States | **,*** | |
| ******.com | United States | **,*** | |
| *******.com | GB | **,*** | |
| **************.at |  Austria | **,*** | |
| *****.com | United States | **,*** | |
| ******.by |  Belarus | **,*** |
FAQ
CVE-2026-24043 is Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in jspdf
A total of 5,803 websites have been identified as vulnerable to CVE-2026-24043, based on global website indexing conducted by WebTechSurvey.
The jspdf is affected by the CVE-2026-24043 vulnerability.
jspdf versions up to 4.1 are vulnerable to CVE-2026-24043.
CVE-2026-24043 is resolved in version 4.1 of jspdf.