GHSA-mr9r-mww3-v6gv (CVE-2026-33311)

Details

Summary

SVG attribute values derived from user-supplied options (backgroundColor, fontFamily, textColor) were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting (XSS) when applications pass untrusted input to createAvatar() and serve the resulting SVG inline or with Content-Type: image/svg+xml.

Affected packages

@dicebear/core — backgroundColor option values interpolated into SVG attributes without escaping (affects solid and gradientLinear background types)
@dicebear/initials — fontFamily and textColor option values interpolated into SVG attributes without escaping

Fix

All affected SVG attribute values are now properly escaped using XML entity encoding. Users should upgrade to the listed patched versions.

Mitigating factors

Applications that validate input against the library's JSON Schema before passing it to createAvatar() are not affected
The DiceBear CLI validates input via AJV and was not vulnerable
Exploitation requires that an application passes untrusted, unvalidated external input directly as option values

Affected Packages

@dicebear/core

npm

Fixed in:

5.4.4

@dicebear/core

npm

Fixed in:

6.1.4

@dicebear/core

npm

Fixed in: