CVE-2026-39103

Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svgattributes.c, svgparsestrings, gfsvgparseattribute...

GPAC 安全漏洞

GPAC is an open-source multimedia framework developed by GPAC. There is a security vulnerability in GPAC, which stems from a buffer overflow in the gfsvgparseattribute function found in the src/scenegraph/svgattributes.c file. This vulnerability could lead to a denial-of-service attack...

CVE-2026-39103

GPAC contains a Buffer Overflow in the SVG attribute parsing path: src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute() that can lead to denial of service. The issue is tied to commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 (and is reflected across multiple advisories)...

CVE-2026-39103

Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svgattributes.c, svgparsestrings, gfsvgparseattribute...

Astra Linux – Vulnerability in ruby-rails-html-sanitizer

rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer 1.4.4 use a inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a...

CVE-2026-33311

DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG...

Cross-site Scripting (XSS)

Overview @dicebear/initials is an Initials avatar style for DiceBear Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized interpolation of user-supplied options in the createAvatar function. An attacker can execute arbitrary scripts in the context of the...

CVE-2026-27013

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies escapeXml to text content during SVG export src/shapes/Text/TextSVGExportMixin.ts:186 but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When...

CVE-2026-27013

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies escapeXml to text content during SVG export src/shapes/Text/TextSVGExportMixin.ts:186 but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When...

CVE-2026-27013 Fabric.js Affected by Stored XSS via SVG Export

Fabric.js is a Javascript HTML5 canvas library. Prior to version 7.2.0, Fabric.js applies escapeXml to text content during SVG export src/shapes/Text/TextSVGExportMixin.ts:186 but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When...

Cross-site Scripting (XSS)

Overview org.webjars.npm:fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the loadFromJSON function, which is used in the FabricObjectSVGExportMixin class to...

Cross-site Scripting (XSS)

Overview fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the loadFromJSON function, which is used in the FabricObjectSVGExportMixin class to deserialize...

GHSA-HFVX-25R5-QC3W Fabric.js Affected by Stored XSS via SVG Export

fabric.js applies escapeXml to text content during SVG export src/shapes/Text/TextSVGExportMixin.ts:186 but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via loadFromJSON and later exported via...

Fabric.js Affected by Stored XSS via SVG Export

fabric.js applies escapeXml to text content during SVG export src/shapes/Text/TextSVGExportMixin.ts:186 but fails to apply it to other user-controlled string values that are interpolated into SVG attribute markup. When attacker-controlled JSON is loaded via loadFromJSON and later exported via...

Cross-site Scripting (XSS)

Overview beautiful-mermaid is a Render Mermaid diagrams as beautiful SVGs or ASCII art. Ultra-fast, fully themeable, zero DOM dependencies. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the interpolation of user-controlled values from style and classDef directiv...

CVE-2026-22610

A flaw was found in Angular. An attacker could exploit a cross-site scripting XSS vulnerability in the Angular Template Compiler due to improper sanitization of href and xlink:href attributes within SVG Mitigation This issue can be mitigating by avoiding the usage of dynamic bindings, this can be...

Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

A Cross-Site Scripting XSS vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG elements as a Resource URL context. In a standard security model,...

CVE-2025-66412 Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting XSS vulnerability has been identified in the Angular Template Compiler. It occurs because the...

CVE-2025-66412

CVE-2025-66412 concerns Angular’s Template Compiler, where a stored XSS could occur due to an incomplete security schema that fails to classify certain URL-holding attributes (e.g., javascript: URLs) as requiring strict URL security. The vulnerability allows injection of malicious scripts and is ...

EUVD-2022-7520

Malicious code in bioql PyPI...