Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.
AnalysisAI
Inkscape 1.1 before 1.3 contains a local file disclosure vulnerability in XInclude processing that allows unauthenticated remote attackers to read arbitrary files from an affected system by crafting malicious SVG files with xi:include tags. The vulnerability has a moderate CVSS score of 6.3 but carries high confidentiality impact; no public exploit code or active exploitation has been confirmed at the time of analysis. Upstream fixes are available via GitLab merge requests, and users should upgrade to version 1.3 or later.
Technical ContextAI
The vulnerability resides in Inkscape's XInclude processing component, which is responsible for resolving and including external XML resources within SVG documents. XInclude is an XML mechanism that allows documents to reference and embed content from other files via xi:include tags. The root cause is classified under CWE-611 (Improper Restriction of XML External Entity Reference), a category that encompasses XXE (XML External Entity) attacks and similar XML entity processing flaws. In this case, the XInclude processor fails to properly validate or restrict file path references, allowing an attacker to specify local file paths (such as /etc/passwd) within crafted SVG files. When Inkscape processes these files, it resolves the xi:include directives and exposes the contents of local files. The affected product is Inkscape, a vector graphics editor commonly used for SVG creation and manipulation. Versions 1.1 through 1.2.x are vulnerable; version 1.3 and later address this flaw.
RemediationAI
Upgrade Inkscape to version 1.3 or later, which includes fixes addressing the XInclude processing vulnerability. The patched version is available from the official Inkscape project repository and standard package managers. Users unable to upgrade immediately should avoid opening SVG files from untrusted sources and consider restricting Inkscape usage to trusted content only. On systems where Inkscape is deployed in batch or automation workflows, implement input validation to reject SVG files containing xi:include directives or enforce sandboxing to limit file system access. For additional details and direct downloads, consult the vendor advisory and merge request references at https://gitlab.com/inkscape/inkscape/-/merge_requests/5269.
The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in
Inkscape before 0.48.4 reads .eps files from /tmp instead of the current directory, which might cause Inkspace to proces
Vendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Workstation Extension 15 SP6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16659
GHSA-8r7r-hrcf-cgvw