CVE-2026-4980 PUBLISHED

Improper Restriction of XML External Entity Reference in Inkscape

Assigner: GitLab
Reserved: 27.03.2026 Published: 27.03.2026 Updated: 27.03.2026

A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CVSS Score: 6.3

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Inkscape
Product	Inkscape
Versions	Default: unaffected affected from 1.1 to 1.3 (excl.)

Solutions

Upgrade to version 1.3 or above

Credits

VK (previously elttam) https://github.com/me0wday finder

References

https://gitlab.com/inkscape/inkscape/-/work_items/3557
https://gitlab.com/inkscape/inkscape/-/merge_requests/5269

Problem Types

CWE-611: Improper Restriction of XML External Entity Reference CWE