Skip to main content

Inkscape EUVDEUVD-2026-16659

| CVE-2026-4980 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-03-27 cve@gitlab.com GHSA-8r7r-hrcf-cgvw
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 15:22 euvd
EUVD-2026-16659
Analysis Generated
Mar 27, 2026 - 15:22 vuln.today
CVE Published
Mar 27, 2026 - 15:17 nvd
MEDIUM 6.3

DescriptionCVE.org

A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.

AnalysisAI

Inkscape 1.1 before 1.3 contains a local file disclosure vulnerability in XInclude processing that allows unauthenticated remote attackers to read arbitrary files from an affected system by crafting malicious SVG files with xi:include tags. The vulnerability has a moderate CVSS score of 6.3 but carries high confidentiality impact; no public exploit code or active exploitation has been confirmed at the time of analysis. Upstream fixes are available via GitLab merge requests, and users should upgrade to version 1.3 or later.

Technical ContextAI

The vulnerability resides in Inkscape's XInclude processing component, which is responsible for resolving and including external XML resources within SVG documents. XInclude is an XML mechanism that allows documents to reference and embed content from other files via xi:include tags. The root cause is classified under CWE-611 (Improper Restriction of XML External Entity Reference), a category that encompasses XXE (XML External Entity) attacks and similar XML entity processing flaws. In this case, the XInclude processor fails to properly validate or restrict file path references, allowing an attacker to specify local file paths (such as /etc/passwd) within crafted SVG files. When Inkscape processes these files, it resolves the xi:include directives and exposes the contents of local files. The affected product is Inkscape, a vector graphics editor commonly used for SVG creation and manipulation. Versions 1.1 through 1.2.x are vulnerable; version 1.3 and later address this flaw.

RemediationAI

Upgrade Inkscape to version 1.3 or later, which includes fixes addressing the XInclude processing vulnerability. The patched version is available from the official Inkscape project repository and standard package managers. Users unable to upgrade immediately should avoid opening SVG files from untrusted sources and consider restricting Inkscape usage to trusted content only. On systems where Inkscape is deployed in batch or automation workflows, implement input validation to reject SVG files containing xi:include directives or enforce sandboxing to limit file system access. For additional details and direct downloads, consult the vendor advisory and merge request references at https://gitlab.com/inkscape/inkscape/-/merge_requests/5269.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Workstation Extension 15 SP7 Fixed

Share

EUVD-2026-16659 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy