Advisories for Npm/@Pdfme/Schemas package

2026

Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas

The SVG schema plugin in @pdfme/schemas renders user-supplied SVG content using container.innerHTML = value without any sanitization, enabling arbitrary JavaScript execution in the user's browser.

Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas

The Select schema plugin in @pdfme/schemas constructs HTML from template-defined option values using unsanitized string interpolation and sets it via innerHTML, enabling arbitrary JavaScript execution.