CVE-2026-33311
SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials
描述
## Summary SVG attribute values derived from user-supplied options (`backgroundColor`, `fontFamily`, `textColor`) were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting (XSS) when applications pass untrusted input to `createAvatar()` and serve the resulting SVG inline or with `Content-Type: image/svg+xml`. ## Affected packages - **`@dicebear/core`** — `backgroundColor` option values interpolated into SVG attributes without escaping (affects `solid` and `gradientLinear` background types) - **`@dicebear/initials`** — `fontFamily` and `textColor` option values interpolated into SVG attributes without escaping ## Fix All affected SVG attribute values are now properly escaped using XML entity encoding. Users should upgrade to the listed patched versions. ## Mitigating factors - Applications that validate input against the library's JSON Schema before passing it to `createAvatar()` are not affected - The DiceBear CLI validates input via AJV and was not vulnerable - Exploitation requires that an application passes untrusted, unvalidated external input directly as option values
如何修補 CVE-2026-33311
要修補 CVE-2026-33311,請將受影響套件升級到下列已修補版本。
- —升級至 5.4.4 或更新版本
- —升級至 5.4.4 或更新版本
CVE-2026-33311 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- >= 5.0.0, < 5.4.4
- >= 5.0.0, < 5.4.4