FKIE_CVE-2026-33311

Vulnerability from fkie_nvd - Published: 2026-03-24 14:16 - Updated: 2026-03-24 19:19
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options (`backgroundColor`, `fontFamily`, `textColor`) were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting (XSS) when applications pass untrusted input to `createAvatar()` and serve the resulting SVG inline or with `Content-Type: image/svg+xml`. Starting in versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, all affected SVG attribute values are properly escaped using XML entity encoding. Users should upgrade to the listed patched versions. Some mitigating factors limit vulnerability. Applications that validate input against the library's JSON Schema before passing it to `createAvatar()` are not affected. The DiceBear CLI validates input via AJV and was not vulnerable. Exploitation requires that an application passes untrusted, unvalidated external input directly as option values.
References
security-advisories@github.comhttps://github.com/dicebear/dicebear/security/advisories/GHSA-mr9r-mww3-v6gvVendor Advisory
Impacted products
Vendor Product Version
dicebear dicebear *
dicebear dicebear *
dicebear dicebear *
dicebear dicebear *
dicebear dicebear *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dicebear:dicebear:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB09AE0B-2C5F-42EE-B503-E6DB31F13097",
              "versionEndExcluding": "5.4.4",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dicebear:dicebear:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "91AF6F19-54B2-4B03-93BE-8CEE3924FCC6",
              "versionEndExcluding": "6.1.4",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dicebear:dicebear:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CD34B76-4E52-474D-98B6-4BEE30C058FA",
              "versionEndExcluding": "7.1.4",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dicebear:dicebear:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "857BBBB9-784C-4EDB-BF7B-F07E277D7BE6",
              "versionEndExcluding": "8.0.3",
              "versionStartIncluding": "8.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dicebear:dicebear:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E8FC8182-9B77-43A9-9178-E8ADF1409AA8",
              "versionEndExcluding": "9.4.1",
              "versionStartIncluding": "9.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options (`backgroundColor`, `fontFamily`, `textColor`) were not XML-escaped before interpolation into SVG output. This could allow Cross-Site Scripting (XSS) when applications pass untrusted input to `createAvatar()` and serve the resulting SVG inline or with `Content-Type: image/svg+xml`. Starting in versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, all affected SVG attribute values are properly escaped using XML entity encoding. Users should upgrade to the listed patched versions. Some mitigating factors limit vulnerability. Applications that validate input against the library\u0027s JSON Schema before passing it to `createAvatar()` are not affected. The DiceBear CLI validates input via AJV and was not vulnerable. Exploitation requires that an application passes untrusted, unvalidated external input directly as option values."
    },
    {
      "lang": "es",
      "value": "DiceBear es una biblioteca de avatares para dise\u00f1adores y desarrolladores. A partir de la versi\u00f3n 5.0.0 y antes de las versiones 5.4.4, 6.1.4, 7.1.4, 8.0.3 y 9.4.1, los valores de atributos SVG derivados de opciones proporcionadas por el usuario (\u0027backgroundColor\u0027, \u0027fontFamily\u0027, \u0027textColor\u0027) no se escapaban en XML antes de la interpolaci\u00f3n en la salida SVG. Esto podr\u00eda permitir cross-site scripting (XSS) cuando las aplicaciones pasan entrada no confiable a createAvatar() y sirven el SVG resultante en l\u00ednea o con Content-Type: image/svg+xml. A partir de las versiones 5.4.4, 6.1.4, 7.1.4, 8.0.3 y 9.4.1, todos los valores de atributos SVG afectados se escapan correctamente utilizando la codificaci\u00f3n de entidades XML. Los usuarios deben actualizar a las versiones parcheadas listadas. Algunos factores mitigantes limitan la vulnerabilidad. Las aplicaciones que validan la entrada contra el esquema JSON de la biblioteca antes de pasarla a createAvatar() no se ven afectadas. La CLI de DiceBear valida la entrada a trav\u00e9s de AJV y no era vulnerable. La explotaci\u00f3n requiere que una aplicaci\u00f3n pase entrada externa no confiable y no validada directamente como valores de opci\u00f3n."
    }
  ],
  "id": "CVE-2026-33311",
  "lastModified": "2026-03-24T19:19:30.667",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-24T14:16:30.290",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/dicebear/dicebear/security/advisories/GHSA-mr9r-mww3-v6gv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.