CVE-2026-22787

HIGH EPSS 24.2%
Published Jan 14, 20265mo ago · Modified Jun 17, 20261w ago
8.7 CVSS 4.0
High
Find Similar
Published Jan 14, 2026 5mo ago
Last Modified Jun 17, 2026 1w ago

Description

html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
24.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
ekoopmanshtml2pdf.js* <0.14.0

References 6

  • aydinnyunus.github.io https://aydinnyunus.github.io/2026/01/17/cve-2026-22787-html2pdf-xss-vulnerability/
    ExploitMitigationThird Party Advisory
  • github.com https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b
    Patch
  • github.com https://github.com/eKoopmans/html2pdf.js/issues/865
    Issue Tracking
  • github.com https://github.com/eKoopmans/html2pdf.js/pull/877
    Issue TrackingPatch
  • github.com https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0
    Release Notes
  • github.com https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc
    PatchVendor Advisory

Remediation

  • github.com https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b
    Patch
  • github.com https://github.com/eKoopmans/html2pdf.js/pull/877
    Issue TrackingPatch
  • github.com https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc
    PatchVendor Advisory