Vulnerability Description
html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in [email protected].
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ekoopmans | Html2Pdf.Js | < 0.14.0 |
Related Weaknesses (CWE)
References
- https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0ePatch
- https://github.com/eKoopmans/html2pdf.js/issues/865Issue Tracking
- https://github.com/eKoopmans/html2pdf.js/pull/877Issue TrackingPatch
- https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0Release Notes
- https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fcPatchVendor Advisory
- https://aydinnyunus.github.io/2026/01/17/cve-2026-22787-html2pdf-xss-vulnerabiliExploitMitigationThird Party Advisory
FAQ
What is CVE-2026-22787?
CVE-2026-22787 is a vulnerability with a CVSS score of 6.1 (MEDIUM). html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather ...
How severe is CVE-2026-22787?
CVE-2026-22787 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-22787?
Check the references section above for vendor advisories and patch information. Affected products include: Ekoopmans Html2Pdf.Js.