CVE-2026-27013: Fabric.js Affected by Stored XSS via SVG Export
(updated )
fabric.js applies escapeXml() to text content during SVG export (src/shapes/Text/TextSVGExportMixin.ts:186) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via loadFromJSON() and later exported via toSVG(), the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers.
References
- github.com/advisories/GHSA-hfvx-25r5-qc3w
- github.com/fabricjs/fabric.js
- github.com/fabricjs/fabric.js/commit/7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee
- github.com/fabricjs/fabric.js/releases/tag/v720
- github.com/fabricjs/fabric.js/security/advisories/GHSA-hfvx-25r5-qc3w
- nvd.nist.gov/vuln/detail/CVE-2026-27013
Code Behaviors & Features
Detect and mitigate CVE-2026-27013 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →