36 matches found
CVE-2026-33311
DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG...
CVE-2026-29112
DiceBear is an avatar library for designers and developers. Prior to version 9.4.0, the ensureSize function in @dicebear/converter read the width and height attributes from the input SVG to determine the output canvas size for rasterization PNG, JPEG, WebP, AVIF. An attacker who can supply a...
CVE-2026-33418
DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the ensureSize function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafti...
CVE-2026-33418
DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the ensureSize function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafti...
CVE-2026-33311
DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG...
CVE-2026-33418
DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the ensureSize function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafti...
CVE-2026-33418 @dicebear/converter ensureSize() Vulnerable to SVG Dimension Capping Bypass via XML Comment Injection
DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the ensureSize function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafti...
CVE-2026-33418
The CVE describes a vulnerability in @dicebear/converter.ensureSize() prior to v9.4.2, where a regex-based rewrite of SVG width/height capped at 2048px could be bypassed by crafting input that matches a non-root before the actual root. When such SVGs are rendered via @resvg/resvg-js on the Node....
CVE-2026-33311 @dicebear/core and @dicebear/initials Vulnerable to SVG Injection via Unsanitized Options
DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG...
CVE-2026-33311 @dicebear/core and @dicebear/initials Vulnerable to SVG Injection via Unsanitized Options
DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG...
CVE-2026-33311
DiceBear CVE-2026-33311 affects @dicebear/core and related packages. The issue: SVG attribute values derived from user-supplied options (backgroundColor, fontFamily, textColor) were not XML-escaped before interpolation into SVG output in versions up to 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1. This ...
CVE-2026-33311 @dicebear/core and @dicebear/initials Vulnerable to SVG Injection via Unsanitized Options
DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG...
DiceBear 安全漏洞
DiceBear is an open-source random avatar generation library developed by DiceBear. Versions prior to DiceBear 9.4.2 contained security vulnerabilities. These vulnerabilities stemmed from the regular expression-based SVG attribute rewriting logic in the ensureSize function, which could be exploite...
DiceBear 跨站脚本漏洞
DiceBear is an open-source random avatar generation library developed by DiceBear. Versions of DiceBear from 5.0.0 to 5.4.4, as well as versions before 6.1.4, 7.1.4, 8.0.3, and 9.4.1, contained a cross-site scripting vulnerability. This vulnerability occurred because SVG attribute values provided...
Allocation of Resources Without Limits or Throttling
Overview @dicebear/converter is a SVG Converter for DiceBear Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ensureSize function. An attacker can cause excessive memory allocation and application crashes by injecting specially craft...
@dicebear/collection (>=9.0.0 <=9.4.0), @fduenascoink/ui-sdk (>=18.0.0 <=18.0.4) +1 more potentially affected by CVE-2026-33311 via @dicebear/initials (>=9.0.0 <=9.4.0)
@dicebear/initials NPM version =9.0.0, =9.0.0, =18.0.0, =9.0.0, =9.4.0 Source cves: CVE-2026-33311 Source advisory: OSV:GHSA-MR9R-MWW3-V6GV...
@dicebear/collection (>=5.0.6 <=5.4.3), dicebear (>=5.0.6 <=5.4.3) potentially affected by CVE-2026-33311 via @dicebear/initials (>=5.0.6 <=5.4.3)
@dicebear/initials NPM version =5.0.6, =5.0.6, =5.0.6, =5.4.3 Source cves: CVE-2026-33311 Source advisory: SNYK:JS-DICEBEARINITIALS-15746953...
@dicebear/collection (>=8.0.0 <=8.0.2), dicebear (>=8.0.0 <=8.0.2) potentially affected by CVE-2026-33311 via @dicebear/initials (>=8.0.0 <=8.0.2)
@dicebear/initials NPM version =8.0.0, =8.0.0, =8.0.0, =8.0.2 Source cves: CVE-2026-33311 Source advisory: SNYK:JS-DICEBEARINITIALS-15746953...
@dicebear/collection (>=6.0.0 <=6.1.3), dicebear (>=6.0.0 <=6.1.3) potentially affected by CVE-2026-33311 via @dicebear/initials (>=6.0.0 <=6.1.3)
@dicebear/initials NPM version =6.0.0, =6.0.0, =6.0.0, =6.1.3 Source cves: CVE-2026-33311 Source advisory: OSV:GHSA-MR9R-MWW3-V6GV...
@dicebear/collection (>=8.0.0 <=8.0.2), dicebear (>=8.0.0 <=8.0.2) potentially affected by CVE-2026-33311 via @dicebear/initials (>=8.0.0 <=8.0.2)
@dicebear/initials NPM version =8.0.0, =8.0.0, =8.0.0, =8.0.2 Source cves: CVE-2026-33311 Source advisory: OSV:GHSA-MR9R-MWW3-V6GV...