Description
Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via `loadFromJSON()` and later exported via `toSVG()`, the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via `loadFromJSON()`, collaborative sharing, import features, CMS plugins) and renders the `toSVG()` output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix.
Published: 2026-02-19
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

Fabric.js is a popular JavaScript library for working with HTML5 canvas and SVG. In versions prior to 7.2.0 the function that exports a canvas to SVG performs proper XML escaping only for the text content of shapes. Other string values that become part of the SVG attribute markup are exported without escaping. When attacker‑controlled JSON is loaded through the framework’s loadFromJSON() API and later exported with toSVG(), the unchecked values can break out of XML attributes and inject new elements, including event handlers that execute arbitrary JavaScript. The effect is a fully‑controlled, stored XSS vulnerability that occurs when the exported SVG is rendered in a victim’s browser. An attacker can execute arbitrary code with the privileges of that user, enabling credential theft, session hijacking, or defacement.

Affected Systems

Affected vendor is fabricjs for the fabric.js library. All versions before 7.2.0 are vulnerable. Any application that accepts JSON through loadFromJSON() and later renders the resulting SVG – such as collaborative editors, content‑management plugins, or email template generators – is potentially impacted. The repository change addressing the issue is committed in the 7.2.0 release series.

Risk and Exploitability

The CVSS score is 7.6 (High), indicating a considerable interaction and the potential for complete compromise of the victim’s browser context. EPSS is reported to be less than 1%, suggesting a low likelihood of exploitation in the wild, although the vulnerability may be actively used in targeted attacks. The flaw is not currently listed in CISA’s KEV catalog. Exploitation requires that an attacker controls the JSON input and that the resulting SVG is rendered in a vulnerable client. The vulnerability is already exploitable in practice as many web applications render SVGs directly on the page, and no user interaction or privileged step is required beyond providing the malicious JSON.

Generated by OpenCVE AI on April 17, 2026 at 17:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Fabric.js to version 7.2.0 or later, which includes the escape fix.
  • If an upgrade is not immediately possible, validate or sanitize all user‑supplied JSON before passing it to loadFromJSON(), ensuring that any string inserted into SVG attribute markup is properly escaped.
  • If the application renders SVGs to the page, consider rendering them in a sandboxed environment such as a dedicated iframe with the sandbox attribute or using Content‑Security‑Policy to restrict script execution.

Generated by OpenCVE AI on April 17, 2026 at 17:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hfvx-25r5-qc3w Fabric.js Affected by Stored XSS via SVG Export
History

Mon, 23 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Fabricjs
Fabricjs fabric.js
CPEs cpe:2.3:a:fabricjs:fabric.js:*:*:*:*:*:node.js:*:*
Vendors & Products Fabricjs
Fabricjs fabric.js

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Fabric-js Project
Fabric-js Project fabric-js
Vendors & Products Fabric-js Project
Fabric-js Project fabric-js

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via `loadFromJSON()` and later exported via `toSVG()`, the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via `loadFromJSON()`, collaborative sharing, import features, CMS plugins) and renders the `toSVG()` output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix.
Title Fabric.js Affected by Stored XSS via SVG Export
Weaknesses CWE-116
CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L'}

Subscriptions

Fabric-js Project Fabric-js
Fabricjs Fabric.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-19T21:21:59.208Z

Reserved: 2026-02-17T03:08:23.490Z

Link: CVE-2026-27013

cve-icon Vulnrichment

Updated: 2026-02-19T20:54:41.868Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T20:25:44.230

Modified: 2026-02-23T19:25:44.130

Link: CVE-2026-27013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses