CVE-2026-27013

Source
https://cve.org/CVERecord?id=CVE-2026-27013
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27013.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27013
Aliases
Published
2026-02-19T19:38:19.711Z
Modified
2026-04-10T05:38:15.718393Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L CVSS Calculator
Summary
Fabric.js Affected by Stored XSS via SVG Export
Details

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies escapeXml() to text content during SVG export (src/shapes/Text/TextSVGExportMixin.ts:186) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via loadFromJSON() and later exported via toSVG(), the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via loadFromJSON(), collaborative sharing, import features, CMS plugins) and renders the toSVG() output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27013.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-116",
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/fabricjs/fabric.js

Affected ranges

Type
GIT
Repo
https://github.com/fabricjs/fabric.js
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Type
GIT
Repo
https://github.com/fabricjs/fabric.js
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*
1.6.2
1.6.3
1.6.4
1.7.0
1.7.4
2.*
2.4.2-b
3.*
3.3.2
4.*
4.0.0-beta.5
v1.*
v1.2.0
v1.3.0
v1.3.7
v1.4.0
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5.0
v1.6.0
v1.6.1
v1.6.5
v1.6.6
v1.6.7
v1.7.1
v1.7.2
v1.7.3
v1.7.5
v1.7.6
v2.*
v2.0.0
v2.0.0-beta.1
v2.0.0-beta.3
v2.0.0-beta.4
v2.0.0-beta.6
v2.0.0-beta.7
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.0-rc.3
v2.0.0-rc.4
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.5.0
v2.6.0
v2.7.0
v3.*
v3.0.0
v3.1.0
v3.2.0
v3.4.0
v3.5.0
v3.6.0
v3.6.1
v4.*
v4.0.0
v4.0.0-beta.1
v4.0.0-beta.10
v4.0.0-beta.11
v4.0.0-beta.12
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0-beta.6
v4.0.0-beta.7
v4.0.0-beta.8
v4.0.0-beta.9
v4.0.0-rc.1
v4.1.0
v4.2.0
v4.3.0
v4.3.1
v4.4.0
v4.5.0
Other
v451
v460
v500
v510
v610
v620
v630
v640
v641
v642
v643
v650
v651
v652
v653
v654
v660
v661
v662
v700
v700-beta1
v700-rc1
v710
v6.*
v6.0.0-beta1
v6.0.0-beta10
v6.0.0-beta11
v6.0.0-beta12
v6.0.0-beta13
v6.0.0-beta14
v6.0.0-beta15
v6.0.0-beta16
v6.0.0-beta17
v6.0.0-beta18
v6.0.0-beta19
v6.0.0-beta2
v6.0.0-beta20
v6.0.0-beta3
v6.0.0-beta4
v6.0.0-beta5
v6.0.0-beta6
v6.0.0-beta7
v6.0.0-beta8
v6.0.0-beta9
v6.0.0-rc.0
v6.0.0-rc1
v6.0.0-rc2
v6.0.0-rc3
v6.0.0-rc4
v6.0.0-rc5
v6.0.1
v6.0.2

Database specific

unresolved_ranges
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "7.2.0"
            }
        ]
    }
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27013.json"