Description

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via `loadFromJSON()` and later exported via `toSVG()`, the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via `loadFromJSON()`, collaborative sharing, import features, CMS plugins) and renders the `toSVG()` output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix.

INFO

Published Date :

2026-02-19T19:38:19.711Z

Last Modified :

2026-02-19T21:21:59.208Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27013 vulnerability.

Vendors Products
Fabric-js Project
  • Fabric-js
Fabricjs
  • Fabric.js
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27013.

URL Resource
https://github.com/fabricjs/fabric.js/commit/7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee cve-icon cve-icon
https://github.com/fabricjs/fabric.js/releases/tag/v720 cve-icon cve-icon
https://github.com/fabricjs/fabric.js/security/advisories/GHSA-hfvx-25r5-qc3w cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact