CVE-2026-4980

6.3 MEDIUM

A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read lo...

Published: 2026-03-27 · Last updated: 2026-05-26

Severity and scoring

CVSS: 6.3 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CWE: CWE-611

Affected products

Vendor	Product
inkscape	inkscape

Description

A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-4980
[Patch]https://gitlab.com/inkscape/inkscape/-/merge_requests/5269
[Exploit reference]https://gitlab.com/inkscape/inkscape/-/work_items/3557

Related CVEs

Same CWE

CVE-2026-49875 — Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening c... (9.8 CRITICAL)
CVE-2026-40998 — Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled X... (8.2 HIGH)
CVE-2026-40991 — When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who comp... (5.9 MEDIUM)
CVE-2026-47960 — ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerab... (7.4 HIGH)
CVE-2026-8045 — CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side...