CVE-2026-22787 HIGH

CVE-2026-22787: html2pdf.js has a cross-site scripting vulnerability

Vendor Ekoopmans
Product html2pdf.js
Weakness CWE-79 · XSS
Published January 14, 2026
Last update January 20, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in html2pdf.js@0.14.0.

Key dates

02Disclosure timeline

January 14, 2026 CVE published
January 20, 2026 Record updated

Related vulnerabilities

04Related CVE