CVE-2026-44311: Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization

June 12, 2026

A potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the toSVG() method.

Specifically, the color field within the colorStops array of a fabric.Gradient object is not properly escaped when converted into SVG <stop> elements. If an application renders the generated SVG string into the DOM (e.g., via innerHTML), this may allow an attacker to inject arbitrary HTML/SVG and execute JavaScript in the victim’s browser.

References

github.com/advisories/GHSA-w22m-hvvm-xmwx
github.com/fabricjs/fabric.js/releases/tag/v740
github.com/fabricjs/fabric.js/security/advisories/GHSA-w22m-hvvm-xmwx
nvd.nist.gov/vuln/detail/CVE-2026-44311

Code Behaviors & Features

Detect and mitigate CVE-2026-44311 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →