CVE-2026-27013
Published: 19 February 2026
Summary
CVE-2026-27013 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Fabricjs Fabric.Js. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-27013 is a stored cross-site scripting (XSS) vulnerability in Fabric.js, a JavaScript HTML5 canvas library, affecting versions prior to 7.2.0. The issue arises during SVG export in the `TextSVGExportMixin.ts` file, where the library applies `escapeXml()` to text content but neglects to escape other user-controlled string values interpolated into SVG attribute markup. This allows unescaped values from attacker-controlled JSON, loaded via `loadFromJSON()`, to break out of XML attributes when exported via `toSVG()`, injecting arbitrary SVG elements including event handlers. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output), with a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L).
Any unauthenticated attacker (PR:N) with network access (AV:N) can exploit this by supplying malicious JSON to applications that load it via `loadFromJSON()`—such as those supporting collaborative sharing, import features, or CMS plugins—and then render the resulting `toSVG()` output in a browser context, including SVG previews, in-page export downloads, email templates, or embeds. Exploitation requires user interaction (UI:R) from a victim viewing the rendered SVG, enabling arbitrary JavaScript execution in the victim's browser session and achieving high confidentiality impact alongside limited integrity and availability effects.
Mitigation is available in Fabric.js version 7.2.0, which addresses the improper escaping. The Fabric.js GitHub security advisory (GHSA-hfvx-25r5-qc3w) details the issue, while the fix is implemented in commit 7e1a122defd8feefe4eb7eaf0c180d7b0aeb6fee and released in tag v7.2.0. Security practitioners should upgrade affected applications to this version and review any user-supplied JSON handling paired with SVG rendering.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7973
Vulnerability details
Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies `escapeXml()` to text content during SVG export (`src/shapes/Text/TextSVGExportMixin.ts:186`) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled…
more
JSON is loaded via `loadFromJSON()` and later exported via `toSVG()`, the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via `loadFromJSON()`, collaborative sharing, import features, CMS plugins) and renders the `toSVG()` output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS via malicious JSON input to loadFromJSON() + toSVG() output directly enables exploitation of public-facing web apps (T1190) that incorporate the vulnerable library, resulting in arbitrary JavaScript execution in the victim browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper escaping of user-controlled strings in SVG output by requiring filtering to prevent XSS injection.
Mitigates the vulnerability by requiring timely remediation of the known flaw through upgrading Fabric.js to version 7.2.0.
Prevents loading of malicious JSON payloads by validating user-supplied inputs prior to processing with loadFromJSON().