CVE-2026-33311 @dicebear/core and @dicebear/initials Vulnerable to SVG Injection via Unsanitized Options

DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG...

CVE-2026-33311

DiceBear CVE-2026-33311 affects @dicebear/core and related packages. The issue: SVG attribute values derived from user-supplied options (backgroundColor, fontFamily, textColor) were not XML-escaped before interpolation into SVG output in versions up to 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1. This ...

CVE-2026-33311 @dicebear/core and @dicebear/initials Vulnerable to SVG Injection via Unsanitized Options

DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG...

@dicebear/collection (>=6.0.0 <=6.1.3), dicebear (>=6.0.0 <=6.1.3) potentially affected by CVE-2026-33311 via @dicebear/initials (>=6.0.0 <=6.1.3)

@dicebear/initials NPM version =6.0.0, =6.0.0, =6.0.0, =6.1.3 Source cves: CVE-2026-33311 Source advisory: SNYK:JS-DICEBEARINITIALS-15746953...

@dicebear/collection (>=8.0.0 <=8.0.2), dicebear (>=8.0.0 <=8.0.2) potentially affected by CVE-2026-33311 via @dicebear/initials (>=8.0.0 <=8.0.2)

@dicebear/initials NPM version =8.0.0, =8.0.0, =8.0.0, =8.0.2 Source cves: CVE-2026-33311 Source advisory: OSV:GHSA-MR9R-MWW3-V6GV...

@dicebear/collection (>=8.0.0 <=8.0.2), dicebear (>=8.0.0 <=8.0.2) potentially affected by CVE-2026-33311 via @dicebear/initials (>=8.0.0 <=8.0.2)

@dicebear/initials NPM version =8.0.0, =8.0.0, =8.0.0, =8.0.2 Source cves: CVE-2026-33311 Source advisory: SNYK:JS-DICEBEARINITIALS-15746953...

@dicebear/collection (>=9.0.0 <=9.4.0), @fduenascoink/ui-sdk (>=18.0.0 <=18.0.4) +1 more potentially affected by CVE-2026-33311 via @dicebear/initials (>=9.0.0 <=9.4.0)

@dicebear/initials NPM version =9.0.0, =9.0.0, =18.0.0, =9.0.0, =9.4.0 Source cves: CVE-2026-33311 Source advisory: OSV:GHSA-MR9R-MWW3-V6GV...

@dicebear/collection (>=5.0.6 <=5.4.3), dicebear (>=5.0.6 <=5.4.3) potentially affected by CVE-2026-33311 via @dicebear/initials (>=5.0.6 <=5.4.3)

@dicebear/initials NPM version =5.0.6, =5.0.6, =5.0.6, =5.4.3 Source cves: CVE-2026-33311 Source advisory: SNYK:JS-DICEBEARINITIALS-15746953...

SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials

Summary SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting XSS when applications pass untrusted input to createAvatar and serve the resulting SVG inline or...

@dicebear/collection (>=9.0.0 <=9.4.0), @fduenascoink/ui-sdk (>=18.0.0 <=18.0.4) +1 more potentially affected by CVE-2026-33311 via @dicebear/initials (>=9.0.0 <=9.4.0)

@dicebear/initials NPM version =9.0.0, =9.0.0, =18.0.0, =9.0.0, =9.4.0 Source cves: CVE-2026-33311 Source advisory: SNYK:JS-DICEBEARINITIALS-15746953...

@dicebear/collection (>=7.0.0 <=7.1.3), dicebear (>=7.0.0 <=7.1.3) potentially affected by CVE-2026-33311 via @dicebear/initials (>=7.0.0 <=7.1.3)

@dicebear/initials NPM version =7.0.0, =7.0.0, =7.0.0, =7.1.3 Source cves: CVE-2026-33311 Source advisory: SNYK:JS-DICEBEARINITIALS-15746953...

@dicebear/collection (>=5.0.6 <=5.4.3), dicebear (>=5.0.6 <=5.4.3) potentially affected by CVE-2026-33311 via @dicebear/initials (>=5.0.6 <=5.4.3)

@dicebear/initials NPM version =5.0.6, =5.0.6, =5.0.6, =5.4.3 Source cves: CVE-2026-33311 Source advisory: OSV:GHSA-MR9R-MWW3-V6GV...

@dicebear/collection (>=7.0.0 <=7.1.3), dicebear (>=7.0.0 <=7.1.3) potentially affected by CVE-2026-33311 via @dicebear/initials (>=7.0.0 <=7.1.3)

@dicebear/initials NPM version =7.0.0, =7.0.0, =7.0.0, =7.1.3 Source cves: CVE-2026-33311 Source advisory: OSV:GHSA-MR9R-MWW3-V6GV...

GHSA-MR9R-MWW3-V6GV SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials

Summary SVG attribute values derived from user-supplied options backgroundColor, fontFamily, textColor were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting XSS when applications pass untrusted input to createAvatar and serve the resulting SVG inline or...

PT-2026-26477

Name of the Vulnerable Software and Affected Versions DiceBear versions prior to 5.4.4 DiceBear versions 6.1.4 and earlier DiceBear versions 7.1.4 and earlier DiceBear versions 8.0.3 and earlier DiceBear versions 9.4.1 and earlier Description The software does not properly escape SVG attribute...