Description
Fabric.js is a Javascript HTML5 canvas library. Prior to 7.4.0, a potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the toSVG() method. Specifically, the color field within the colorStops array of a fabric.Gradient object is not properly escaped when converted into SVG elements. If an application renders the generated SVG string into the DOM, this may allow an attacker to inject arbitrary HTML/SVG and execute JavaScript in the victim's browser. This vulnerability is fixed in 7.4.0.
Severity (CVSS)
| Base score | 5.4 |
|---|---|
| Severity | Medium |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
| Provided by | CNA |
Weaknesses
- CWE-79 — CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-116 — CWE-116: Improper Encoding or Escaping of Output
Affected products
| Vendor | Product | Versions |
|---|---|---|
| fabricjs | fabric.js | < 7.4.0 |
References
- https://github.com/fabricjs/fabric.js/security/advisories/GHSA-w22m-hvvm-xmwx (x_refsource_CONFIRM)
- https://github.com/fabricjs/fabric.js/releases/tag/v740 (x_refsource_MISC)
Generated from the official CVE List on 23 Jun 2026 10:05 UTC.