SCA: security update for @dicebear/core, @dicebear/initials (GHSA-mr9r-mww3-v6gv)

medium Tenable Cloud Security Plugin ID 439245

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- DiceBear is an avatar library for designers and developers. Starting in version 5.0.0 and prior to
versions 5.4.4, 6.1.4, 7.1.4, 8.0.3, and 9.4.1, SVG attribute values derived from user-supplied options
(`backgroundColor`, `fontFamily`, `textColor`) were not XML-escaped before interpolation into SVG output.
This could allow Cross-Site Scripting (XSS) when applications pass untrusted input to `createAvatar()` and
serve the resulting SVG inline or with `Content-Type: image/svg+xml`. Starting in versions 5.4.4, 6.1.4,
7.1.4, 8.0.3, and 9.4.1, all affected SVG attribute values are properly escaped using XML entity encoding.
Users should upgrade to the listed patched versions. Some mitigating factors limit vulnerability.
Applications that validate input against the library's JSON Schema before passing it to `createAvatar()`
are not affected. The DiceBear CLI validates input via AJV and was not vulnerable. Exploitation requires
that an application passes untrusted, unvalidated external input directly as option values.
(CVE-2026-33311)

Solution

Update the @dicebear/core library and its related packages to version 5.4.4 or later.

See Also

https://github.com/advisories/GHSA-mr9r-mww3-v6gv

Plugin Details

Severity: Medium

ID: 439245

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 3/26/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.42

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-33311

CVSS v3

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/19/2026

Vulnerability Publication Date: 3/19/2026

Reference Information

CVE: CVE-2026-33311

cwe: CWE-79