CVE-2026-27013
February 19, 2026
Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies "escapeXml()" to text content during SVG export ("src/shapes/Text/TextSVGExportMixin.ts:186") but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via "loadFromJSON()" and later exported via "toSVG()", the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via "loadFromJSON()", collaborative sharing, import features, CMS plugins) and renders the "toSVG()" output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix.
Affected Packages
https://github.com/fabricjs/fabric.js.git (GITHUB):
Affected version(s) >=v0.9.35 <v720Fix Suggestion:
Update to version v720fabric (NPM):
Affected version(s) >=0.5.2 <7.2.0Fix Suggestion:
Update to version 7.2.0Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.2
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
EPSS
Base Score:
0.04
