Vulnerability Summary

Field	Value
CVE ID	CVE-2026-27013
Affected Product	Fabric.js (npm package: `fabric`)
Affected Versions	All versions prior to 7.2.0
Fixed Version	7.2.0 and later
CVSS v3.1 Score	7.6 (High)
CVSS Vector	AV:N / AC:L / PR:N / UI:R / S:U / C:H / I:L / A:L
Severity	High
Exploitability	Remote exploitation possible; No authentication required; User interaction required (victim must view or render exported SVG)
Exploit Availability	No widely weaponized public exploit observed at the time of disclosure. Exploitation remains technically simple and reproducible in controlled environments.
Official Patch / Upgrade	Upgrade to Fabric.js v7.2.0 or later
Official Release Link	https://github.com/fabricjs/fabric.js/releases/tag/v7.2.0

Overview

A stored cross-site scripting vulnerability was identified in Fabric.js related to improper escaping of user-controlled properties when exporting canvas objects to SVG format.

The issue occurs when untrusted JSON is loaded into Fabric using loadFromJSON() and later exported via toSVG(). Certain object properties—particularly id, src, gradient IDs, and pattern IDs—were inserted directly into SVG attributes without proper XML attribute escaping.

Because SVG supports inline event handlers and JavaScript execution in browsers, malicious attribute injection could result in arbitrary JavaScript execution when the exported SVG is rendered in a browser context.

This vulnerability does not trigger during normal canvas rendering. It is specifically triggered during SVG export and subsequent viewing of that SVG in a browser.

Technical Root Cause

Fabric.js allows full object reconstruction from JSON using:

canvas.loadFromJSON()

During deserialization:

All properties in JSON are assigned to object instances.
No strict allowlist validation is enforced.
No sanitization occurs on string properties.

During SVG export:

Object properties such as id and src are interpolated into SVG attribute templates.
In affected versions, attribute values were not properly escaped for XML attribute context.
If attacker-controlled values contained quotation marks (") or angle brackets (<, >), attribute boundaries could be broken.
Additional attributes such as onload, onmouseover, or even <script> tags could be injected.

This results in attribute-context injection inside the generated SVG.

Attack Scenario

The following exploitation chain is realistic in production environments:

An application allows users to import or save canvas designs as JSON.
A malicious user crafts JSON containing injected attribute payloads.
The JSON is stored in a database.
Another user views or exports the design as SVG.
The generated SVG contains injected JavaScript.
The browser executes the malicious script.

This is a classic stored XSS pattern.

Conditions Required for Exploitation

Application must allow user-controlled JSON input.
Application must use Fabric.js version < 7.2.0.
Application must call toSVG() on loaded objects.
SVG must be rendered in a browser context (inline or opened in browser).
No strict CSP or SVG sanitization in place.

If SVG files are served strictly as downloads with Content-Disposition: attachment, risk is reduced but not eliminated.

Proof of Concept (Educational)

Below is a simplified educational example demonstrating how attribute injection can occur.

Malicious JSON example:

{
  "type": "rect",
  "id": "test\" onload=\"alert('XSS')",
  "width": 100,
  "height": 100,
  "fill": "red"
}

If exported improperly, the SVG could become:

<g id="test" onload="alert('XSS')">

When rendered in a browser, the onload event executes.

This demonstrates attribute breakout in SVG context.

Impact Analysis

Confidentiality

Session cookies, local storage tokens, and DOM data can be accessed.

Integrity

DOM can be modified. Actions can be triggered on behalf of victim.

Availability

Limited impact. Malicious scripts could disrupt UI or trigger excessive operations.

MITRE Mapping

CWE Classification

CWE-79 — Improper Neutralization of Input During Web Page Generation
CWE-116 — Improper Encoding or Escaping of Output

MITRE ATT&CK Mapping

T1190 — Exploit Public-Facing Application
T1059 — Command and Scripting Interpreter (Browser Context)

Detection and Threat Hunting

1. Version Detection

Check installed version:

npm list fabric

Or inspect:

package.json
node_modules/fabric/package.json

If version < 7.2.0, system is vulnerable.

2. Database Hunting for Malicious Canvas JSON

SQL Query

SELECT id, canvas_json
FROM saved_canvases
WHERE canvas_json LIKE '%onload=%'
   OR canvas_json LIKE '%onmouseover=%'
   OR canvas_json LIKE '%<script%'
   OR canvas_json LIKE '%javascript:%'
   OR canvas_json REGEXP '"id"\\s*:\\s*".*["<>]';

3. Web Server Log Detection

Apache / Nginx Log Search

Search for SVG responses containing script indicators:

grep -Ei "onload=|onerror=|onmouseover=|<script|javascript:" access.log

4. Splunk Detection Query

index=web_logs 
| search "image/svg+xml"
| search "<script" OR "onload=" OR "onerror=" OR "onmouseover=" OR "javascript:"
| table _time clientip uri useragent

5. Elastic / KQL Detection

http.response.headers.content_type : "image/svg+xml" and
(
  http.response.body : "<script" or
  http.response.body : "onload=" or
  http.response.body : "onerror=" or
  http.response.body : "javascript:"
)

6. WAF Detection Rule Example (ModSecurity)

SecRule RESPONSE_HEADERS:Content-Type "image/svg+xml" "id:2701301,phase:4,deny,log,msg:'Possible SVG XSS injection detected',chain"
SecRule RESPONSE_BODY "(<script|onload=|onerror=|onmouseover=|javascript:)" "t:none"

7. Regex Detection for File Scanners

Suspicious ID Attribute

id\s*=\s*"[^"]*(on[a-zA-Z]+\s*=|<|>|javascript:)

Suspicious xlink:href

xlink:href\s*=\s*"[^"]*(javascript:|["<>])

Log Sources to Monitor

Application logs (JSON import events)
Database audit logs (insert/update of canvas JSON)
Web server access logs
Reverse proxy logs
WAF logs
CDN logs
Object storage access logs (if SVG files stored)
Client-side telemetry (unexpected JS errors after SVG render)

Defensive Recommendations

Immediate Action

Upgrade to Fabric.js 7.2.0 or later.

Temporary Mitigations

Enforce strict allowlist validation on JSON properties.
Restrict characters in object id fields.
Sanitize SVG output server-side before rendering.
Serve SVG files as attachments.
Apply strict Content Security Policy (disallow inline script).
Avoid rendering untrusted SVG inline.

Secure Development Practice

Escape values according to context (attribute vs text node).
Treat JSON from users as untrusted input.
Implement input validation and output encoding consistently.
Conduct dependency scanning regularly.

Risk Assessment

If the application:

Accepts user-created canvas designs
Stores them
Allows preview or export to SVG
Renders SVG inline

Then exploitation likelihood is moderate to high in multi-user environments.

If application is single-user and does not share or render SVG in browser context, risk is significantly lower.

Remediation Verification

After upgrading:

Import controlled malicious JSON in staging.
Export to SVG.
Inspect SVG output.
Confirm attribute values are properly escaped.
Verify no inline event handlers are generated.
Test with CSP enabled.

Conclusion

CVE-2026-27013 represents a classic stored XSS vulnerability caused by improper attribute escaping during SVG generation. The flaw originates from unsanitized JSON deserialization combined with unsafe template interpolation in SVG export logic.

Although exploitation requires specific application behavior, many real-world Fabric.js implementations expose JSON import and SVG export functionality, making this vulnerability practically exploitable in collaborative or user-generated content platforms.

The vulnerability is fully resolved in version 7.2.0. Upgrade should be treated as mandatory for exposed systems.

CVE-2026-27013: Critical Stored XSS Flaw in Fabric.js SVG Export Exposes Applications to Remote Script Injection