What is the CVSS score of CVE-2026-27013?

CVE-2026-27013 has a CVSS 3.1 base score of 7.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L. EPSS exploitation probability: 0.0%.

Which versions of Fabric.Js are affected by CVE-2026-27013?

Fabric.js versions prior to 7.2.0 contain a cross-site scripting (XSS) vulnerability in SVG export functionality that could allow attackers to inject malicious code through unescaped user-controlled…. A patch is available.

Is there a public PoC exploit available for CVE-2026-27013?

Yes, a public proof-of-concept exploit is available for CVE-2026-27013. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-27013?

Within 24 hours: Inventory all applications and dependencies using Fabric.js and identify affected versions (pre-7.2.0). Within 7 days: Patch all affected instances to Fabric.js 7.2.0 or later through your dependency management system and deploy to production. Within 30 days: Conduct security testing of patched applications, particularly SVG export features, and document the remediation in your vulnerability management system.

Fabric.Js CVE-2026-27013

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-02-19 security-advisories@github.com

GHSA-hfvx-25r5-qc3w

RCE XSS Fabric.Js

7.6

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.6 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

PoC Detected

Feb 23, 2026 - 19:25 vuln.today

Public exploit code

Patch released

Feb 23, 2026 - 19:25 nvd

Patch available

CVE Published

Feb 19, 2026 - 20:25 nvd

HIGH 7.6

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

3 npm packages depend on fabric (2 direct, 2 indirect)

Ecosystem-wide dependent count for version 7.2.0.

DescriptionGitHub Advisory

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies escapeXml() to text content during SVG export (src/shapes/Text/TextSVGExportMixin.ts:186) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via loadFromJSON() and later exported via toSVG(), the unescaped values break out of XML attributes and inject arbitrary SVG elements including event handlers. Any application that accepts user-supplied JSON (via loadFromJSON(), collaborative sharing, import features, CMS plugins) and renders the toSVG() output in a browser context (SVG preview, export download rendered in-page, email template, embed) is vulnerable to stored XSS. An attacker can execute arbitrary JavaScript in the victim's browser session. Version 7.2.0 contains a fix.

AnalysisAI

Stored XSS in Fabric.js prior to version 7.2.0 allows attackers to inject arbitrary SVG elements and event handlers when user-supplied JSON is loaded and exported via toSVG(), affecting applications that process collaborative designs, imports, or CMS plugins. Public exploit code exists for this vulnerability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker supplies malicious JSON

Exploit

Application loads JSON via loadFromJSON()

Execution

Unescaped values injected into SVG attributes

Impact

Arbitrary SVG elements and event handlers executed