CVE-2026-27013
Published: 19 February 2026
Summary
CVE-2026-27013 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Fabricjs Fabric.Js. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via malicious JSON input to loadFromJSON() + toSVG() output directly enables exploitation of public-facing web apps (T1190) that incorporate the vulnerable library, resulting in arbitrary JavaScript execution in the victim browser (T1059.007).
NVD Description
Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled…
more
JSON is loaded via `loadFromJSON()` and later exported via `toSVG()`, the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via `loadFromJSON()`, collaborative sharing, import features, CMS plugins) and renders the `toSVG()` output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix.
Deeper analysisAI
CVE-2026-27013 is a stored cross-site scripting (XSS) vulnerability in Fabric.js, a JavaScript HTML5 canvas library, affecting versions prior to 7.2.0. The issue arises during SVG export in the `TextSVGExportMixin.ts` file, where the library applies `escapeXml()` to text content but neglects to escape other user-controlled string values interpolated into SVG attribute markup. This allows unescaped values from attacker-controlled JSON, loaded via `loadFromJSON()`, to break out of XML attributes when exported via `toSVG()`, injecting arbitrary SVG elements including event handlers. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output), with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L).
Any unauthenticated attacker (PR:N) with network access (AV:N) can exploit this by supplying malicious JSON to applications that load it via `loadFromJSON()`—such as those supporting collaborative sharing, import features, or CMS plugins—and then render the resulting `toSVG()` output in a browser context, including SVG previews, in-page export downloads, email templates, or embeds. Exploitation requires user interaction (UI:R) from a victim viewing the rendered SVG, enabling arbitrary JavaScript execution in the victim's browser session and achieving high confidentiality impact alongside limited integrity and availability effects.
Mitigation is available in Fabric.js version 7.2.0, which addresses the improper escaping. The Fabric.js GitHub security advisory (GHSA-hfvx-25r5-qc3w) details the issue, while the fix is implemented in commit 7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee and released in tag v7.2.0. Security practitioners should upgrade affected applications to this version and review any user-supplied JSON handling paired with SVG rendering.
Details
- CWE(s)