Description
fabric.js applies escapeXml() to text content during SVG export (src/shapes/Text/TextSVGExportMixin.ts:186) but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup.
Recommendation
Update the fabric package to the latest compatible version. Followings are version details:
- Affected version(s): < 7.2.0
- Patched version(s): 7.2.0
References
Related Issues
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context - CVE-2026-33889
- Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover - @haxtheweb/video-player - CVE-2026-46396
You might also like:
- Tags:
- npm
- fabric
Anything's wrong? Let us know Last updated on February 19, 2026