Vulnerability-Lookup

WID-SEC-W-2026-0553

Vulnerability from csaf_certbund - Published: 2026-03-01 23:00 - Updated: 2026-05-14 22:00

Summary

HCL BigFix: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: BigFix ist eine Lösung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.

Angriff: Ein Angreifer kann mehrere Schwachstellen in HCL BigFix ausnutzen, um Informationen offenzulegen, um beliebigen Programmcode auszuführen, um einen Denial of Service Angriff durchzuführen, und um Dateien zu manipulieren.

Betroffene Betriebssysteme: - Linux - UNIX - Windows

CVE-2025-68428

Affected products

Known affected 4 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
HCL BigFix Service Management HCL / BigFix	`cpe:/a:hcltech:bigfix:service_management`	Service Management
HCL BigFix WebUI HCL / BigFix	`cpe:/a:hcltech:bigfix:webui`	WebUI
HCL BigFix Reports <1.0.2 Update 2 HCL / BigFix		Reports <1.0.2 Update 2

CVE-2026-22029

Affected products

Known affected 4 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
HCL BigFix Service Management HCL / BigFix	`cpe:/a:hcltech:bigfix:service_management`	Service Management
HCL BigFix WebUI HCL / BigFix	`cpe:/a:hcltech:bigfix:webui`	WebUI
HCL BigFix Reports <1.0.2 Update 2 HCL / BigFix		Reports <1.0.2 Update 2

CVE-2026-24040

Affected products

Known affected 4 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
HCL BigFix Service Management HCL / BigFix	`cpe:/a:hcltech:bigfix:service_management`	Service Management
HCL BigFix WebUI HCL / BigFix	`cpe:/a:hcltech:bigfix:webui`	WebUI
HCL BigFix Reports <1.0.2 Update 2 HCL / BigFix		Reports <1.0.2 Update 2

CVE-2026-24043

Affected products

Known affected 4 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
HCL BigFix Service Management HCL / BigFix	`cpe:/a:hcltech:bigfix:service_management`	Service Management
HCL BigFix WebUI HCL / BigFix	`cpe:/a:hcltech:bigfix:webui`	WebUI
HCL BigFix Reports <1.0.2 Update 2 HCL / BigFix		Reports <1.0.2 Update 2

CVE-2026-24133

Affected products

Known affected 4 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
HCL BigFix Service Management HCL / BigFix	`cpe:/a:hcltech:bigfix:service_management`	Service Management
HCL BigFix WebUI HCL / BigFix	`cpe:/a:hcltech:bigfix:webui`	WebUI
HCL BigFix Reports <1.0.2 Update 2 HCL / BigFix		Reports <1.0.2 Update 2

CVE-2026-24737

Affected products

Known affected 4 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
HCL BigFix Service Management HCL / BigFix	`cpe:/a:hcltech:bigfix:service_management`	Service Management
HCL BigFix WebUI HCL / BigFix	`cpe:/a:hcltech:bigfix:webui`	WebUI
HCL BigFix Reports <1.0.2 Update 2 HCL / BigFix		Reports <1.0.2 Update 2

CVE-2026-25639

Affected products

Known affected 4 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
HCL BigFix Service Management HCL / BigFix	`cpe:/a:hcltech:bigfix:service_management`	Service Management
HCL BigFix WebUI HCL / BigFix	`cpe:/a:hcltech:bigfix:webui`	WebUI
HCL BigFix Reports <1.0.2 Update 2 HCL / BigFix		Reports <1.0.2 Update 2

References

6 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://support.hcl-software.com/csm?id=kb_articl…	external
https://access.redhat.com/errata/RHSA-2026:4466	external
https://support.hcl-software.com/csm?id=kb_articl…	external
https://support.hcl-software.com/community?id=com…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "BigFix ist eine L\u00f6sung zum Erkennen und Verwalten von physischen und virtuellen Endpunkten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in HCL BigFix ausnutzen, um Informationen offenzulegen, um beliebigen Programmcode auszuf\u00fchren, um einen Denial of Service Angriff durchzuf\u00fchren, und um Dateien zu manipulieren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0553 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0553.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0553 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0553"
      },
      {
        "category": "external",
        "summary": "HCL Security Bulletin vom 2026-03-01",
        "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0129092"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:4466 vom 2026-03-12",
        "url": "https://access.redhat.com/errata/RHSA-2026:4466"
      },
      {
        "category": "external",
        "summary": "HCL Security Bulletin",
        "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0130587"
      },
      {
        "category": "external",
        "summary": "HCL Security Bulletin vom 2026-05-14",
        "url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=6976946e2bfccf900c64f1a1d891bf9a"
      }
    ],
    "source_lang": "en-US",
    "title": "HCL BigFix: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-05-14T22:00:00.000+00:00",
      "generator": {
        "date": "2026-05-15T08:33:35.845+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0553",
      "initial_release_date": "2026-03-01T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-03-01T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-11T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-10T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von HCL aufgenommen"
        },
        {
          "date": "2026-05-14T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates aufgenommen"
        }
      ],
      "status": "final",
      "version": "4"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "WebUI",
                "product": {
                  "name": "HCL BigFix WebUI",
                  "product_id": "T036098",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:bigfix:webui"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Service Management",
                "product": {
                  "name": "HCL BigFix Service Management",
                  "product_id": "T046595",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:bigfix:service_management"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Reports \u003c1.0.\u200b2 Update 2",
                "product": {
                  "name": "HCL BigFix Reports \u003c1.0.\u200b2 Update 2",
                  "product_id": "T051321"
                }
              },
              {
                "category": "product_version",
                "name": "Reports 1.0.\u200b2 Update 2",
                "product": {
                  "name": "HCL BigFix Reports 1.0.\u200b2 Update 2",
                  "product_id": "T051321-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltech:bigfix:reports__1.0.2_update_2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "BigFix"
          }
        ],
        "category": "vendor",
        "name": "HCL"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-68428",
      "product_status": {
        "known_affected": [
          "67646",
          "T046595",
          "T036098",
          "T051321"
        ]
      },
      "release_date": "2026-03-01T23:00:00.000+00:00",
      "title": "CVE-2025-68428"
    },
    {
      "cve": "CVE-2026-22029",
      "product_status": {
        "known_affected": [
          "67646",
          "T046595",
          "T036098",
          "T051321"
        ]
      },
      "release_date": "2026-03-01T23:00:00.000+00:00",
      "title": "CVE-2026-22029"
    },
    {
      "cve": "CVE-2026-24040",
      "product_status": {
        "known_affected": [
          "67646",
          "T046595",
          "T036098",
          "T051321"
        ]
      },
      "release_date": "2026-03-01T23:00:00.000+00:00",
      "title": "CVE-2026-24040"
    },
    {
      "cve": "CVE-2026-24043",
      "product_status": {
        "known_affected": [
          "67646",
          "T046595",
          "T036098",
          "T051321"
        ]
      },
      "release_date": "2026-03-01T23:00:00.000+00:00",
      "title": "CVE-2026-24043"
    },
    {
      "cve": "CVE-2026-24133",
      "product_status": {
        "known_affected": [
          "67646",
          "T046595",
          "T036098",
          "T051321"
        ]
      },
      "release_date": "2026-03-01T23:00:00.000+00:00",
      "title": "CVE-2026-24133"
    },
    {
      "cve": "CVE-2026-24737",
      "product_status": {
        "known_affected": [
          "67646",
          "T046595",
          "T036098",
          "T051321"
        ]
      },
      "release_date": "2026-03-01T23:00:00.000+00:00",
      "title": "CVE-2026-24737"
    },
    {
      "cve": "CVE-2026-25639",
      "product_status": {
        "known_affected": [
          "67646",
          "T046595",
          "T036098",
          "T051321"
        ]
      },
      "release_date": "2026-03-01T23:00:00.000+00:00",
      "title": "CVE-2026-25639"
    }
  ]
}

CVE-2025-68428 (GCVE-0-2025-68428)

Vulnerability from cvelistv5 – Published: 2026-01-05 21:43 – Updated: 2026-01-06 17:38

Title

jsPDF has Local File Inclusion/Path Traversal vulnerability

Summary

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF.

Severity

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-35 - Path Traversal: '.../...//'
CWE-73 - External Control of File Name or Path

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/parallax/jsPDF/security/adviso…	x_refsource_CONFIRM
https://github.com/parallax/jsPDF/commit/a688c8f4…	x_refsource_MISC
https://github.com/parallax/jsPDF/releases/tag/v4.0.0	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
parallax	jsPDF	Affected: < 4.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68428",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-06T15:35:22.371810Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-06T17:38:46.470Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jsPDF",
          "vendor": "parallax",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.0.0, user control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are `addImage`, `html`, and `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. Some workarounds areavailable. With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. For older node versions, sanitize user-provided paths before passing them to jsPDF."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-35",
              "description": "CWE-35: Path Traversal: \u0027.../...//\u0027",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T21:43:55.169Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2"
        },
        {
          "name": "https://github.com/parallax/jsPDF/commit/a688c8f479929b24a6543b1fa2d6364abb03066d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parallax/jsPDF/commit/a688c8f479929b24a6543b1fa2d6364abb03066d"
        },
        {
          "name": "https://github.com/parallax/jsPDF/releases/tag/v4.0.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parallax/jsPDF/releases/tag/v4.0.0"
        }
      ],
      "source": {
        "advisory": "GHSA-f8cm-6447-x5h2",
        "discovery": "UNKNOWN"
      },
      "title": "jsPDF has Local File Inclusion/Path Traversal vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68428",
    "datePublished": "2026-01-05T21:43:55.169Z",
    "dateReserved": "2025-12-17T15:29:39.378Z",
    "dateUpdated": "2026-01-06T17:38:46.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22029 (GCVE-0-2026-22029)

Vulnerability from cvelistv5 – Published: 2026-01-10 02:42 – Updated: 2026-06-02 16:58

Title

React Router vulnerable to XSS via Open Redirects

Summary

React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.

Severity

8 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/remix-run/react-router/securit…	x_refsource_CONFIRM

Impacted products

2 products

Vendor	Product	Version
remix-run	react-router	Affected: >= 7.0.0, < 7.12.0
remix-run	@remix-run/router	Affected: < 1.23.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22029",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-13T04:55:53.265498Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T15:04:50.771Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "react-router",
          "vendor": "remix-run",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 7.0.0, \u003c 7.12.0"
            }
          ]
        },
        {
          "product": "@remix-run/router",
          "vendor": "remix-run",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.23.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (\u003cBrowserRouter\u003e) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T16:58:42.516Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx"
        }
      ],
      "source": {
        "advisory": "GHSA-2w69-qvjg-hvjx",
        "discovery": "UNKNOWN"
      },
      "title": "React Router vulnerable to XSS via Open Redirects"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22029",
    "datePublished": "2026-01-10T02:42:32.736Z",
    "dateReserved": "2026-01-05T22:30:38.718Z",
    "dateUpdated": "2026-06-02T16:58:42.516Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24040 (GCVE-0-2026-24040)

Vulnerability from cvelistv5 – Published: 2026-02-02 20:38 – Updated: 2026-02-03 15:30

Title

jsPDF has a Shared State Race Condition in addJS Plugin

Summary

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/parallax/jsPDF/security/adviso…	x_refsource_CONFIRM
https://github.com/parallax/jsPDF/commit/2863e5c2…	x_refsource_MISC
https://github.com/parallax/jsPDF/releases/tag/v4.1.0	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
parallax	jsPDF	Affected: < 4.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24040",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:29:49.991694Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:30:05.465Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jsPDF",
          "vendor": "parallax",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-362",
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T20:38:24.732Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79x6-5cj4"
        },
        {
          "name": "https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e"
        },
        {
          "name": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0"
        }
      ],
      "source": {
        "advisory": "GHSA-cjw8-79x6-5cj4",
        "discovery": "UNKNOWN"
      },
      "title": "jsPDF has a Shared State Race Condition in addJS Plugin"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24040",
    "datePublished": "2026-02-02T20:38:24.732Z",
    "dateReserved": "2026-01-20T22:30:11.777Z",
    "dateUpdated": "2026-02-03T15:30:05.465Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24043 (GCVE-0-2026-24043)

Vulnerability from cvelistv5 – Published: 2026-02-02 20:34 – Updated: 2026-02-03 15:27

Title

jsPDF Affected by Stored XMP Metadata Injection (Spoofing & Integrity Violation)

Summary

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/parallax/jsPDF/security/adviso…	x_refsource_CONFIRM
https://github.com/parallax/jsPDF/commit/efe54bf5…	x_refsource_MISC
https://github.com/parallax/jsPDF/releases/tag/v4.1.0	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
parallax	jsPDF	Affected: < 4.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24043",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:20:54.661574Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:27:51.282Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jsPDF",
          "vendor": "parallax",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T20:34:50.617Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422"
        },
        {
          "name": "https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff"
        },
        {
          "name": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0"
        }
      ],
      "source": {
        "advisory": "GHSA-vm32-vv63-w422",
        "discovery": "UNKNOWN"
      },
      "title": "jsPDF Affected by Stored XMP Metadata Injection (Spoofing \u0026 Integrity Violation)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24043",
    "datePublished": "2026-02-02T20:34:50.617Z",
    "dateReserved": "2026-01-20T22:30:11.777Z",
    "dateUpdated": "2026-02-03T15:27:51.282Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24133 (GCVE-0-2026-24133)

Vulnerability from cvelistv5 – Published: 2026-02-02 20:32 – Updated: 2026-02-03 15:17

Title

jsPDF Affected by Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder

Summary

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in jsPDF@4.1.0.

Severity

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/parallax/jsPDF/security/adviso…	x_refsource_CONFIRM
https://github.com/parallax/jsPDF/commit/ae4b93f7…	x_refsource_MISC
https://github.com/parallax/jsPDF/releases/tag/v4.1.0	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
parallax	jsPDF	Affected: < 4.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24133",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:16:10.492386Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:17:40.830Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jsPDF",
          "vendor": "parallax",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in jsPDF@4.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T20:33:35.357Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c"
        },
        {
          "name": "https://github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d"
        },
        {
          "name": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0"
        }
      ],
      "source": {
        "advisory": "GHSA-95fx-jjr5-f39c",
        "discovery": "UNKNOWN"
      },
      "title": "jsPDF Affected by Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24133",
    "datePublished": "2026-02-02T20:32:37.631Z",
    "dateReserved": "2026-01-21T18:38:22.474Z",
    "dateUpdated": "2026-02-03T15:17:40.830Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24737 (GCVE-0-2026-24737)

Vulnerability from cvelistv5 – Published: 2026-02-02 20:29 – Updated: 2026-02-03 15:07

Title

jsPDF has a PDF Injection in AcroFormChoiceField which allows Arbitrary JavaScript Execution

Summary

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/parallax/jsPDF/security/adviso…	x_refsource_CONFIRM
https://github.com/parallax/jsPDF/commit/da291a5f…	x_refsource_MISC
https://github.com/parallax/jsPDF/releases/tag/v4.1.0	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
parallax	jsPDF	Affected: < 4.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24737",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:07:06.608038Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:07:51.844Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jsPDF",
          "vendor": "parallax",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116: Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T20:29:05.011Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328"
        },
        {
          "name": "https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79"
        },
        {
          "name": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/parallax/jsPDF/releases/tag/v4.1.0"
        }
      ],
      "source": {
        "advisory": "GHSA-pqxr-3g65-p328",
        "discovery": "UNKNOWN"
      },
      "title": "jsPDF has a PDF Injection in AcroFormChoiceField which allows Arbitrary JavaScript Execution"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24737",
    "datePublished": "2026-02-02T20:29:05.011Z",
    "dateReserved": "2026-01-26T19:06:16.059Z",
    "dateUpdated": "2026-02-03T15:07:51.844Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25639 (GCVE-0-2026-25639)

Vulnerability from cvelistv5 – Published: 2026-02-09 20:11 – Updated: 2026-02-18 17:16

Title

Axios affected by Denial of Service via __proto__ Key in mergeConfig

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Assigner

GitHub_M

References

7 references

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM
https://github.com/axios/axios/pull/7369	x_refsource_MISC
https://github.com/axios/axios/pull/7388	x_refsource_MISC
https://github.com/axios/axios/commit/28c721588c7…	x_refsource_MISC
https://github.com/axios/axios/commit/d7ff1409c68…	x_refsource_MISC
https://github.com/axios/axios/releases/tag/v0.30.3	x_refsource_MISC
https://github.com/axios/axios/releases/tag/v1.13.5	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.13.5 Affected: < 0.30.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25639",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-10T15:39:46.394625Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-10T15:59:44.468Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.13.5"
            },
            {
              "status": "affected",
              "version": "\u003c 0.30.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-18T17:16:16.391Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433"
        },
        {
          "name": "https://github.com/axios/axios/pull/7369",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/7369"
        },
        {
          "name": "https://github.com/axios/axios/pull/7388",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/7388"
        },
        {
          "name": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57"
        },
        {
          "name": "https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v0.30.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v0.30.3"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v1.13.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v1.13.5"
        }
      ],
      "source": {
        "advisory": "GHSA-43fc-jf86-j433",
        "discovery": "UNKNOWN"
      },
      "title": "Axios affected by Denial of Service via __proto__ Key in mergeConfig"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25639",
    "datePublished": "2026-02-09T20:11:22.374Z",
    "dateReserved": "2026-02-04T05:15:41.791Z",
    "dateUpdated": "2026-02-18T17:16:16.391Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0553

CVE-2025-68428 (GCVE-0-2025-68428)

CVE-2026-22029 (GCVE-0-2026-22029)

CVE-2026-24040 (GCVE-0-2026-24040)

CVE-2026-24043 (GCVE-0-2026-24043)

CVE-2026-24133 (GCVE-0-2026-24133)

CVE-2026-24737 (GCVE-0-2026-24737)

CVE-2026-25639 (GCVE-0-2026-25639)

Tags

Sightings

Nomenclature