{"id":"CVE-2026-27013","summary":"Fabric.js Affected by Stored XSS via SVG Export","details":"Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via `loadFromJSON()` and later exported via `toSVG()`, the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via `loadFromJSON()`, collaborative sharing, import features, CMS plugins) and renders the `toSVG()` output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix.","aliases":["GHSA-hfvx-25r5-qc3w"],"modified":"2026-04-10T05:38:15.718393Z","published":"2026-02-19T19:38:19.711Z","database_specific":{"cwe_ids":["CWE-116","CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27013.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/fabricjs/fabric.js/releases/tag/v720"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27013.json"},{"type":"ADVISORY","url":"https://github.com/fabricjs/fabric.js/security/advisories/GHSA-hfvx-25r5-qc3w"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27013"},{"type":"FIX","url":"https://github.com/fabricjs/fabric.js/commit/7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/fabricjs/fabric.js","events":[{"introduced":"0"},{"fixed":"7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee"}]},{"type":"GIT","repo":"https://github.com/fabricjs/fabric.js","events":[{"introduced":"0"},{"fixed":"2604cd993f38880ad22c41a03f54509e178388c3"}]}],"versions":["1.6.2","1.6.3","1.6.4","1.7.0","1.7.4","2.4.2-b","3.3.2","4.0.0-beta.5","v1.2.0","v1.3.0","v1.3.7","v1.4.0","v1.4.10","v1.4.11","v1.4.12","v1.4.13","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4.8","v1.4.9","v1.5.0","v1.6.0","v1.6.1","v1.6.5","v1.6.6","v1.6.7","v1.7.1","v1.7.2","v1.7.3","v1.7.5","v1.7.6","v2.0.0","v2.0.0-beta.1","v2.0.0-beta.3","v2.0.0-beta.4","v2.0.0-beta.6","v2.0.0-beta.7","v2.0.0-rc.1","v2.0.0-rc.2","v2.0.0-rc.3","v2.0.0-rc.4","v2.0.1","v2.0.2","v2.0.3","v2.1.0","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.3.6","v2.4.0","v2.4.1","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.5.0","v2.6.0","v2.7.0","v3.0.0","v3.1.0","v3.2.0","v3.4.0","v3.5.0","v3.6.0","v3.6.1","v4.0.0","v4.0.0-beta.1","v4.0.0-beta.10","v4.0.0-beta.11","v4.0.0-beta.12","v4.0.0-beta.2","v4.0.0-beta.3","v4.0.0-beta.4","v4.0.0-beta.6","v4.0.0-beta.7","v4.0.0-beta.8","v4.0.0-beta.9","v4.0.0-rc.1","v4.1.0","v4.2.0","v4.3.0","v4.3.1","v4.4.0","v4.5.0","v451","v460","v500","v510","v6.0.0-beta1","v6.0.0-beta10","v6.0.0-beta11","v6.0.0-beta12","v6.0.0-beta13","v6.0.0-beta14","v6.0.0-beta15","v6.0.0-beta16","v6.0.0-beta17","v6.0.0-beta18","v6.0.0-beta19","v6.0.0-beta2","v6.0.0-beta20","v6.0.0-beta3","v6.0.0-beta4","v6.0.0-beta5","v6.0.0-beta6","v6.0.0-beta7","v6.0.0-beta8","v6.0.0-beta9","v6.0.0-rc.0","v6.0.0-rc1","v6.0.0-rc2","v6.0.0-rc3","v6.0.0-rc4","v6.0.0-rc5","v6.0.1","v6.0.2","v610","v620","v630","v640","v641","v642","v643","v650","v651","v652","v653","v654","v660","v661","v662","v700","v700-beta1","v700-rc1","v710"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27013.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"7.2.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L"}]}