Exploit for Improper Encoding or Escaping of Output in Parall Jspdf CVE-2026-25940

Name: Exploit for Improper Encoding or Escaping of Output in Parall Jspdf CVE-2026-25940
Rating: 5 (150 reviews)
2026-03-02 | CVSS 8.1
## https://sploitus.com/exploit?id=39D1E4C0-5059-5BCE-A5C2-4EB7D4EC1EB0
# CVE-2026-25940 jsPDF PoC

A proof-of-concept for CVE-2026-25940 demonstrating how specially crafted AcroForm radio button appearances can trigger embedded JavaScript in vulnerable PDF viewers (e.g., Foxit). The repo includes a Node-based generator and a browser viewer harness to exercise different parsing paths.

> ⚠️ Use only in isolated, non-production environments. The sample payloads intentionally execute JavaScript and may invoke network requests or external programs. Do not open the generated PDF with untrusted viewers on a host you care about.

## Repo Contents
- [poc.js](poc.js): Generates a malicious PDF with multiple radio button options and distinct appearance streams to showcase different behaviors.
- [viewer.html](viewer.html): Minimal viewer harness to generate the PoC in-browser or load an existing sample, and render it both natively (iframe) and via PDF.js.
- [package.json](package.json): Declares the jsPDF dependency for the Node PoC.

## Prerequisites
- Node.js 18+ and npm.

## Setup
1. Install dependencies:
   ```sh
   npm install
   ```
2. (Optional) Serve the viewer locally for cleaner loading of the HTML/JS:
   ```sh
   npx http-server .
   # then open http://localhost:8080/viewer.html
   ```

## Generate PoC PDF via Node
1. Run the generator:
   ```sh
   node poc.js
   ```
2. The script writes `test.pdf` in the project root. Open it with your target PDF viewer to observe behavior. Keep networking blocked if you want to avoid outbound requests.

## Browser-Based Viewer Workflow
1. Open [viewer.html](viewer.html) directly in a browser or via a local server.
2. Click **Generate PoC PDF** to build the malicious document in-browser and load it into both the iframe (native/browser handler) and PDF.js canvas.
3. Alternatively, choose **Load file** and select a PDF you generated with the Node script.
4. Watch console/network activity for evidence of JavaScript execution; some viewers may suppress alerts while still running embedded actions.

## Notes
- Payloads are tuned toward Foxit behavior; other viewers may partially mitigate or block them.
- If you adapt the payload, keep sizes similar to avoid changing object offsets that some exploit chains rely on.
- Always test in a VM or sandbox with restricted network egress.