CVE-2026-27013

Name of the Vulnerable Software and Affected Versions Fabric.js versions prior to 7.2.0

Description Fabric.js is a Javascript HTML5 canvas library susceptible to a stored cross-site scripting (XSS) issue during SVG export. The library applies escapeXml() to text content during SVG export but does not apply it to other user-controlled string values interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via the loadFromJSON() function and subsequently exported using toSVG(), unescaped values can break out of XML attributes and inject arbitrary SVG elements, including event handlers. Applications accepting user-supplied JSON through loadFromJSON(), collaborative sharing, import features, or CMS plugins, and rendering the toSVG() output in a browser context (such as SVG previews, export downloads rendered in-page, or email templates) are potentially vulnerable. An attacker could execute arbitrary JavaScript in the victim’s browser session. The vulnerable code is located in src/shapes/Text/TextSVGExportMixin.ts:186.

Recommendations Versions prior to 7.2.0 should be updated to version 7.2.0 or later.