GHSA-h3q6-jfrg-3x6q (CVE-2026-25630)

Details

The following security vulnerability was identified in jsPDF versions <=3.0.4: Local File Inclusion/Path Traversal.

Impact

Since SurveyJS PDF Generator depends on jsPDF, any project using survey-pdf v1.12.58 and lower or v2.5.4 and lower could be exposed to this vulnerability.

Solution

SurveyJS PDF Generator has upgraded jsPDF to version >= 4.0.0 and included the fix in the following survey-pdf releases:

Action

Users should upgrade survey-pdf in their projects to v1.12.59+ or v2.5.5+ immediately.

Notes

No other survey-pdf dependencies are affected. This update is fully backward-compatible with previous survey-pdf releases.

Affected Packages

survey-pdf

npm

Fixed in:

1.12.59

survey-pdf

npm

Fixed in:

2.5.5

References

ADVISORY

https://github.com/advisories/GHSA-h3q6-jfrg-3x6q

WEB

https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2

PACKAGE

https://github.com/surveyjs/survey-pdf

WEB

https://github.com/surveyjs/survey-pdf/security/advisories/GHSA-h3q6-jfrg-3x6q

ADVISORY

https://nvd.nist.gov/vuln/detail/CVE-2026-25630