CVE-2026-44311
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
A vulnerability in Fabric.js before version 7.4.0 allows XSS attacks due to improper escaping of user input during SVG serialization via the toSVG() method. The color field in the colorStops array of a fabric.Gradient object is not properly sanitized, enabling injection of arbitrary HTML/SVG and JavaScript execution in the victim's browser.
Risk Assessment
An attacker can exploit this vulnerability to inject malicious scripts, leading to session data theft, account takeover, or other actions in the user's browser context.
Recommendation
Immediately update Fabric.js to version 7.4.0 or later. If an update is not possible, avoid rendering generated SVG directly into the DOM without additional sanitization.
Original NVD description (English source)
Fabric.js is a Javascript HTML5 canvas library. Prior to 7.4.0, a potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the toSVG() method. Specifically, the color field within the colorStops array of a fabric.Gradient object is not properly escaped when converted into SVG <stop> elements. If an application renders the generated SVG string into the DOM, this may allow an attacker to inject arbitrary HTML/SVG and execute JavaScript in the victim's browser. This vulnerability is fixed in 7.4.0.

