{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27013", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T03:08:23.490Z", "datePublished": "2026-02-19T19:38:19.711Z", "dateUpdated": "2026-02-19T21:21:59.208Z"}, "containers": {"cna": {"title": "Fabric.js Affected by Stored XSS via SVG Export", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/fabricjs/fabric.js/security/advisories/GHSA-hfvx-25r5-qc3w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/fabricjs/fabric.js/security/advisories/GHSA-hfvx-25r5-qc3w"}, {"name": "https://github.com/fabricjs/fabric.js/commit/7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee", "tags": ["x_refsource_MISC"], "url": "https://github.com/fabricjs/fabric.js/commit/7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee"}, {"name": "https://github.com/fabricjs/fabric.js/releases/tag/v720", "tags": ["x_refsource_MISC"], "url": "https://github.com/fabricjs/fabric.js/releases/tag/v720"}], "affected": [{"vendor": "fabricjs", "product": "fabric.js", "versions": [{"version": "< 7.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:38:19.711Z"}, "descriptions": [{"lang": "en", "value": "Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via `loadFromJSON()` and later exported via `toSVG()`, the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via `loadFromJSON()`, collaborative sharing, import features, CMS plugins) and renders the `toSVG()` output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix."}], "source": {"advisory": "GHSA-hfvx-25r5-qc3w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T20:54:40.361805Z", "id": "CVE-2026-27013", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:21:59.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27013", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T20:54:40.361805Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T20:54:41.868Z"}}], "cna": {"title": "Fabric.js Affected by Stored XSS via SVG Export", "source": {"advisory": "GHSA-hfvx-25r5-qc3w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "fabricjs", "product": "fabric.js", "versions": [{"status": "affected", "version": "< 7.2.0"}]}], "references": [{"url": "https://github.com/fabricjs/fabric.js/security/advisories/GHSA-hfvx-25r5-qc3w", "name": "https://github.com/fabricjs/fabric.js/security/advisories/GHSA-hfvx-25r5-qc3w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/fabricjs/fabric.js/commit/7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee", "name": "https://github.com/fabricjs/fabric.js/commit/7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/fabricjs/fabric.js/releases/tag/v720", "name": "https://github.com/fabricjs/fabric.js/releases/tag/v720", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via `loadFromJSON()` and later exported via `toSVG()`, the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via `loadFromJSON()`, collaborative sharing, import features, CMS plugins) and renders the `toSVG()` output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T19:38:19.711Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27013", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:21:59.208Z", "dateReserved": "2026-02-17T03:08:23.490Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T19:38:19.711Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fabricjs:fabric.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "0E3B1F04-2E51-4440-AB7E-01B8C407F877", "versionEndExcluding": "7.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via `loadFromJSON()` and later exported via `toSVG()`, the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via `loadFromJSON()`, collaborative sharing, import features, CMS plugins) and renders the `toSVG()` output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix."}], "id": "CVE-2026-27013", "lastModified": "2026-02-23T19:25:44.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-19T20:25:44.230", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/fabricjs/fabric.js/commit/7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/fabricjs/fabric.js/releases/tag/v720"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/fabricjs/fabric.js/security/advisories/GHSA-hfvx-25r5-qc3w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.2.0)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "matching", "scores": [{"score": 80.0, "source": "matching"}]}, "original": {"product": "fabric.js", "source": "cna", "vendor": "fabricjs"}, "product": "fabric-js", "vendor": "fabric-js_project"}], "analysis": {"en": {"generated_at": "2026-04-17T17:56:13.817739+00:00", "value": {"mitigation_remediation": ["Upgrade Fabric.js to version 7.2.0 or later, which includes the escape fix.", "If an upgrade is not immediately possible, validate or sanitize all user\u2011supplied JSON before passing it to loadFromJSON(), ensuring that any string inserted into SVG attribute markup is properly escaped.", "If the application renders SVGs to the page, consider rendering them in a sandboxed environment such as a dedicated iframe with the sandbox attribute or using Content\u2011Security\u2011Policy to restrict script execution."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affected vendor is fabricjs for the fabric.js library. All versions before 7.2.0 are vulnerable. Any application that accepts JSON through loadFromJSON() and later renders the resulting SVG \u2013 such as collaborative editors, content\u2011management plugins, or email template generators \u2013 is potentially impacted. The repository change addressing the issue is committed in the 7.2.0 release series.", "description_and_impact": "Fabric.js is a popular JavaScript library for working with HTML5 canvas and SVG. In versions prior to 7.2.0 the function that exports a canvas to SVG performs proper XML escaping only for the text content of shapes. Other string values that become part of the SVG attribute markup are exported without escaping. When attacker\u2011controlled JSON is loaded through the framework\u2019s loadFromJSON() API and later exported with toSVG(), the unchecked values can break out of XML attributes and inject new elements, including event handlers that execute arbitrary JavaScript. The effect is a fully\u2011controlled, stored XSS vulnerability that occurs when the exported SVG is rendered in a victim\u2019s browser. An attacker can execute arbitrary code with the privileges of that user, enabling credential theft, session hijacking, or defacement.", "risk_and_exploitability": "The CVSS score is 7.6 (High), indicating a considerable interaction and the potential for complete compromise of the victim\u2019s browser context. EPSS is reported to be less than 1%, suggesting a low likelihood of exploitation in the wild, although the vulnerability may be actively used in targeted attacks. The flaw is not currently listed in CISA\u2019s KEV catalog. Exploitation requires that an attacker controls the JSON input and that the resulting SVG is rendered in a vulnerable client. The vulnerability is already exploitable in practice as many web applications render SVGs directly on the page, and no user interaction or privileged step is required beyond providing the malicious JSON."}}}}, "created": "2026-02-20T09:54:11.505590+00:00", "updated": "2026-04-17T18:00:12.186798+00:00", "vendors": ["fabric-js_project", "fabric-js_project$PRODUCT$fabric-js"]}