{“lastseen”:””,”description”:”Fabric.js is a Javascript HTML5 canvas library. Prior to 7.4.0, a potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the toSVG() method. Specifically, the color field within the colorStops array of a fabric.Gradient object is not properly escaped when converted into SVG \\u003cstop\\u003e elements. If an application renders the generated SVG string into the DOM, this may allow an attacker to inject arbitrary HTML\/SVG and execute JavaScript in the victim’s browser. This vulnerability is fixed in 7.4.0.”,”published”:”2026-06-22T20:50:56.690Z”,”modified”:”2026-06-22T20:50:56.690Z”,”type”:”cve”,”title”:”Fabric.js: Improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/fabricjs\/fabric.js\/security\/advisories\/GHSA-w22m-hvvm-xmwx\\nhttps:\/\/github.com\/fabricjs\/fabric.js\/releases\/tag\/v740″,”id”:”CVE-2026-44311″,”bulletinFamily”:””,”cwe”:[“CWE-79″,”CWE-116″],”cvelist”:null,”sourceData”:”fabricjs fabric.js \\u003c 7.4.0″,”sourceHref”:””,”cvss”:{“score”:5.4,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”fabric.js”,”version”:”\\u003c 7.4.0″,”vendor”:”fabricjs”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Fabric.js is a Javascript HTML5 canvas library. Prior to 7.4.0, a potential Cross-Site Scripting (XSS) vulnerability exists in Fabric.js due to improper escaping of user-controlled…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,82,12,21,13,7,11,5],"class_list":["post-64895","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-54","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n