QwikSec

Security Database

CVE

CWE

Training

CVE-2026-22787

Published: Jan 14, 2026

Modified: Jan 20, 2026

PUBLISHED

Description

html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in [email protected].

Vendor	Product	Versions
eKoopmans	html2pdf.js	affected `< 0.14.0`

Weaknesses (CWE)

References

https://github.com/eKoopmans/html2pdf.js/security/advisories/GHSA-w8x4-x68c-m6fc

x_refsource_CONFIRM

https://github.com/eKoopmans/html2pdf.js/issues/865

x_refsource_MISC

https://github.com/eKoopmans/html2pdf.js/pull/877

x_refsource_MISC

https://github.com/eKoopmans/html2pdf.js/commit/988826e336035b39a8608182d7b73c0e3cd78c7b

x_refsource_MISC

https://github.com/eKoopmans/html2pdf.js/releases/tag/v0.14.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.