Svgo

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest

CVE-2026-29074 npm HIGH POC PATCH This Week

Denial of service in SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 allows unauthenticated attackers to crash the Node.js process through XML entity expansion attacks, with a minimal 811-byte payload triggering heap exhaustion. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users of SVGO, Node.js, and Golang implementations should restrict input sources until updates are released.

Node.js Golang Denial Of Service Svgo Red Hat +1

NVD GitHub VulDB

CVSS 3.1

7.5

EPSS

0.1%

CVE-2026-29074 npm

EPSS 0% CVSS 7.5

HIGH POC PATCH This Week

Denial of service in SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 allows unauthenticated attackers to crash the Node.js process through XML entity expansion attacks, with a minimal 811-byte payload triggering heap exhaustion. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users of SVGO, Node.js, and Golang implementations should restrict input sources until updates are released.

Node.js Golang Denial Of Service +3

NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy