cvedb.io
CVE-2026-44311
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2026-06-22T22:16:46.200 · Last modified 2026-06-26T20:09:01.607

Summary

Fabric.js is a Javascript HTML5 canvas library. Prior to 7.4.0, a potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the toSVG() method. Specifically, the color field within the colorStops array of a fabric.Gradient object is not properly escaped when converted into SVG <stop> elements. If an application renders the generated SVG string into the DOM, this may allow an attacker to inject arbitrary HTML/SVG and execute JavaScript in the victim's browser. This vulnerability is fixed in 7.4.0.

Affected products

fabricjs — fabric.js

Does this affect you?

Add your gear to cvedb and we'll alert you only when fabricjs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.