Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion through the Root.fromJSON or Namespace.addJSON functions. An attacker can cause resource exhaustion and disrupt service availability by submitting a crafted JSON descriptor with deeply nested namespace definitions...

CVE-2026-27013

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies escapeXml to text content during SVG export src/shapes/Text/TextSVGExportMixin.ts:186 but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When...

CVE-2026-27013

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies escapeXml to text content during SVG export src/shapes/Text/TextSVGExportMixin.ts:186 but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When...

CVE-2026-27013

Fabric.js prior to 7.2.0 is vulnerable to stored XSS when user-supplied JSON is loaded via loadFromJSON() and later exported to SVG with toSVG(). The issue arises because several SVG attributes (notably id on wrappers and xlink:href values for images and patterns) interpolate user-controlled str...

Cross-site Scripting (XSS)

Overview fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the loadFromJSON function, which is used in the FabricObjectSVGExportMixin class to deserialize...

EUVD-2025-31334

Malicious code in bioql PyPI...

CVE-2025-11011 BehaviorTree json_export.cpp fromJson null pointer dereference

A vulnerability was found in BehaviorTree up to 4.7.0. Affected by this issue is the function JsonExporter::fromJson of the file /src/jsonexport.cpp. Performing manipulation of the argument Source results in null pointer dereference. The attack needs to be approached locally. The exploit has been...

The vulnerability of the ConvertFromJson method in the monitoring and security management tool Trend Micro Apex Central allows a attacker to execute arbitrary code in the context of NETWORK SERVICE.

The vulnerability of the ConvertFromJson method in the Trend Micro Apex Central security monitoring and management tool is related to insufficient validation of input data. Exploiting this vulnerability could allow an attacker to execute arbitrary code in the context of NETWORK SERVICE...

json-smart: Potential DoS via stack exhaustion (incomplete fix for CVE-2023-1370)

A flaw was found in the JSON-smart library. In affected versions, specially crafted JSON input may trigger stack exhaustion, potentially leading to an application crash or denial of service. This issue exists due to an incomplete fix for CVE-2023-1370...