Code Injection and DoS Vulnerabilities in Popular JavaScript/TypeScript Developer Tools
Two widely used JavaScript/TypeScript ecosystem tools disclosed high-severity vulnerabilities that can be triggered by untrusted input during code or document generation. jsPDF patched CVE-2026-24737 (CVSS 8.1), where user-controlled properties in the AcroForm module can enable injection of arbitrary PDF objects (including JavaScript actions) via APIs such as AcroformChoiceField.addOption and AcroFormCheckBox.appearanceState, potentially leading to script execution when a victim opens a crafted PDF. It also patched CVE-2026-24133 (CVSS 8.7), a denial-of-service condition in BMPDecoder reachable through addImage, where a malicious BMP with manipulated width/height headers can force excessive memory allocation and crash the application or browser tab.
Separately, Orval fixed CVE-2026-25141 (CVSS 9.3), a code-injection flaw in its OpenAPI-to-TypeScript client generation pipeline. The issue stems from insufficient sanitization of x-enum-descriptions content embedded into generated block comments; attackers can inject */ to terminate a comment and cause subsequent text to be treated as executable TypeScript/JavaScript. The advisory notes this is a bypass of an earlier fix for CVE-2026-23947, indicating prior mitigations were incomplete; organizations using Orval in CI/CD or consuming third-party OpenAPI specs are at heightened risk if inputs are not strictly trusted and validated.
Timeline
Feb 6, 2026
jsPDF 4.1.0 released to fix injection and DoS flaws
The jsPDF maintainers fixed both disclosed vulnerabilities in version 4.1.0 and recommended upgrading to jspdf 4.1.0 or later. As temporary mitigations, they advised sanitizing AcroForm input and validating image data before processing.
Feb 6, 2026
jsPDF vulnerabilities CVE-2026-24737 and CVE-2026-24133 disclosed
Two high-severity jsPDF flaws were disclosed: CVE-2026-24737, which can allow arbitrary PDF object injection through vulnerable AcroForm APIs, and CVE-2026-24133, a denial-of-service issue in BMPDecoder triggered by crafted BMP files with large dimensions. The bugs affect applications that pass unsanitized user input or unvalidated image data into the library.
Feb 4, 2026
Orval maintainers release patches for CVE-2026-25141
Following disclosure of CVE-2026-25141, Orval maintainers released patched versions and urged users to upgrade immediately and audit development pipelines for vulnerable releases. The flaw could enable arbitrary code injection when developers generate clients from malicious or compromised OpenAPI specifications.
Feb 4, 2026
Orval code-injection flaw CVE-2026-25141 disclosed
A critical vulnerability in Orval, tracked as CVE-2026-25141, was disclosed after researchers found attacker-controlled OpenAPI enum descriptions could break out of generated JavaScript comments and inject executable code. The issue was described as an incomplete fix bypass of the earlier CVE-2026-23947, leaving some updated users still vulnerable, including versions starting at 7.19.0.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Critical Code Injection in Orval OpenAPI Client Generator (CVE-2026-23947)
A critical software supply-chain vulnerability, **CVE-2026-23947** (CVSS **9.3**), was disclosed in *Orval*, a widely used npm tool that generates type-safe TypeScript/JavaScript clients from OpenAPI/Swagger specifications. The flaw allows **code injection** when Orval processes untrusted or compromised API specifications: attacker-controlled content in the `x-enumDescriptions` / `x-enum-descriptions` field is embedded without proper escaping in `getEnumImplementation()`, enabling malicious TypeScript/JavaScript to be written into generated client/schema files during `const enum` generation. Successful exploitation can lead to **arbitrary code execution in environments consuming the generated clients**, shifting risk to downstream developers and build/runtime pipelines that treat generated code as trusted. Affected versions are reported as **7.10.0 through 8.0.2**, and vendor guidance indicates updating to a fixed release (noted as *Orval* **8.0.2**) to remediate; the issue is described as similar to **CVE-2026-22785** but impacting a different `@orval/core` code path not covered by the earlier fix.
1 months ago
PDF Ecosystem Vulnerabilities Enable One-Click Attacks and PDF Object Injection
Security researchers reported multiple previously unknown weaknesses across the PDF ecosystem that can be exploited through crafted documents. Novee Security’s research into *Foxit* and *Apryse* PDF platforms described **13 vulnerability categories** and **16 exploit paths**, including **critical XSS** and **OS command injection**, with “one-click” scenarios where simply opening a document could trigger compromise and potentially enable account takeover or backend command execution. Separately, a high-severity flaw in the widely used *jsPDF* library was disclosed as **CVE-2026-25755** (CVSS **8.8**), enabling **PDF object injection** via improper sanitization in the `addJS` method. By breaking out of the `/JS (...)` string (e.g., injecting `) >> /Action ...`), an attacker can inject arbitrary PDF structures and actions such as `/OpenAction`, potentially triggering behavior even when JavaScript is disabled in the viewer and enabling document manipulation (e.g., altering `/Annots` or `/Signatures`) across different PDF viewers, including lightweight mobile/embedded parsers.
1 months ago
16 Vulnerabilities in Apryse WebViewer and Foxit PDF Cloud Services Enable Account Takeover and Data Theft
Researchers at **Novee** reported **16 vulnerabilities** affecting widely deployed PDF platforms **Apryse WebViewer** (formerly PDFTron) and **Foxit PDF cloud services/SDK components**, warning they could be exploited for **account hijacking, data theft, and in some cases remote code execution**. Reported issue classes include **DOM-based, stored, and reflected XSS**, **server-side request forgery (SSRF)**, **path traversal**, and **OS command injection**; testing indicated attackers could trigger exploitation via **crafted documents, messages, or URLs**, with elevated risk when these viewers are embedded inside **authenticated enterprise applications** and trusted domains. Technical details highlighted that Apryse WebViewer spans multiple trust boundaries (a React-based iframe UI ingesting untrusted inputs such as query strings and `postMessage`, a JavaScript/WebAssembly document engine, and server-side SDK services), and that insufficient validation across these boundaries enabled exploitation paths. The most severe issue described was a **critical OS command injection (CVSS 9.8)** in Foxit’s Node.js signature server component, where a POST body parameter was reportedly concatenated into a command execution path. Both **Apryse** and **Foxit** stated the findings were **responsibly disclosed** and addressed via **patches, updates, and configuration changes**, with additional security hardening performed during remediation.
1 months ago