Description

Fabric.js is a Javascript HTML5 canvas library. Prior to 7.4.0, a potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the toSVG() method. Specifically, the color field within the colorStops array of a fabric.Gradient object is not properly escaped when converted into SVG elements. If an application renders the generated SVG string into the DOM, this may allow an attacker to inject arbitrary HTML/SVG and execute JavaScript in the victim's browser. This vulnerability is fixed in 7.4.0.

Severity (CVSS)

Base score5.4
SeverityMedium
VersionCVSS 3.1
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Provided byCNA

Weaknesses

  • CWE-79 — CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-116 — CWE-116: Improper Encoding or Escaping of Output

Affected products

VendorProductVersions
fabricjsfabric.js< 7.4.0

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 23 Jun 2026 10:05 UTC.