CVE-2026-22787 – html2pdf.js versions before 0.14.0 contain a cr... (How to Fix)

Q: What is the severity of CVE-2026-22787?

CVE-2026-22787 has a CVSS score of 6.1 (MEDIUM). html2pdf.js versions before 0.14.0 contain a cross-site scripting (XSS) vulnerability when processing text input. Attackers can inject malicious scripts that execute in users' browsers, potentially stealing sensitive data, hijacking sessions, or defacing websites. Any application using vulnerable versions of html2pdf.js with text input is affected.

📋 TL;DR

html2pdf.js versions before 0.14.0 contain a cross-site scripting (XSS) vulnerability when processing text input. Attackers can inject malicious scripts that execute in users' browsers, potentially stealing sensitive data, hijacking sessions, or defacing websites. Any application using vulnerable versions of html2pdf.js with text input is affected.

💻 Affected Systems

Products:

html2pdf.js

Versions: All versions before 0.14.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects usage with text input sources, not element sources. Web applications using html2pdf.js with user-controlled text are vulnerable.

📦 What is this software?

Html2pdf.js by Ekoopmans

View all CVEs affecting Html2pdf.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user sessions, theft of sensitive data (credentials, personal information), website defacement, and potential malware distribution to visitors.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions performed on behalf of authenticated users.

🟢

If Mitigated

Limited impact due to input validation, output encoding, or Content Security Policy preventing script execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (loading a malicious page) but is straightforward once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.14.0

Vendor Advisory: https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc

Restart Required: No

Instructions:

1. Update html2pdf.js dependency to version 0.14.0 or later. 2. For npm: 'npm update html2pdf.js'. 3. For direct inclusion: replace script file with patched version from GitHub releases.

🔧 Temporary Workarounds

Input Sanitization

all

Implement strict input validation and sanitization for all text passed to html2pdf.js

Content Security Policy

all

Implement strict CSP headers to prevent script execution from untrusted sources

🧯 If You Can't Patch

Disable text input functionality in html2pdf.js and only use element sources
Implement server-side validation and sanitization of all user input before passing to html2pdf.js

🔍 How to Verify

Check if Vulnerable:

Check package.json or script source for html2pdf.js version. If version is below 0.14.0 and text input is used, the system is vulnerable.

Check Version:

npm list html2pdf.js (for npm) or check script tag src attribute for version

Verify Fix Applied:

Confirm html2pdf.js version is 0.14.0 or later. Test with known XSS payloads in text input to ensure scripts are not executed.

📡 Detection & Monitoring

Log Indicators:

Unusual script tags or JavaScript in html2pdf.js input parameters
Multiple failed PDF generation attempts with suspicious input

Network Indicators:

Requests to html2pdf.js endpoints with script-like content in parameters

SIEM Query:

source="web_server" AND (uri="*html2pdf*" OR uri="*pdf*" OR user_agent="*html2pdf*") AND (param="*<script>*" OR param="*javascript:*" OR param="*onerror=*" OR param="*onload=*")

📊 Metadata

CVE ID: CVE-2026-22787

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (22.3th percentile)

Published: January 14, 2026

Last Updated: March 12, 2026

🔗 References

https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b Patch
https://github.com/eKoopmans/html2pdf.js/issues/865 Issue Tracking
https://github.com/eKoopmans/html2pdf.js/pull/877 Issue Tracking,Patch
https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0 Release Notes
https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc Patch,Vendor Advisory
https://aydinnyunus.github.io/2026/01/17/cve-2026-22787-html2pdf-xss-vulnerability/ Exploit,Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22787, you might also want to check these: