CVE-2026-33311

Name of the Vulnerable Software and Affected Versions DiceBear versions prior to 5.4.4 DiceBear versions 6.1.4 and earlier DiceBear versions 7.1.4 and earlier DiceBear versions 8.0.3 and earlier DiceBear versions 9.4.1 and earlier

Description The software does not properly escape SVG attribute values derived from user-supplied options such as backgroundColor, fontFamily, and textColor before including them in SVG output. This could lead to Cross-Site Scripting (XSS) if an application passes untrusted input to the createAvatar() function and serves the resulting SVG as image/svg+xml. Applications that validate input against the library’s JSON Schema before passing it to createAvatar() are not affected. The DiceBear CLI, which validates input using AJV, was also not vulnerable. Exploitation requires passing unvalidated external input directly as option values.

Recommendations Versions prior to 5.4.4 should be upgraded to version 5.4.4 or later. Versions 6.1.4 and earlier should be upgraded to version 6.1.4 or later. Versions 7.1.4 and earlier should be upgraded to version 7.1.4 or later. Versions 8.0.3 and earlier should be upgraded to version 8.0.3 or later. Versions 9.4.1 and earlier should be upgraded to version 9.4.1 or later.