{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4980", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-03-27T11:18:24.287Z", "datePublished": "2026-03-27T14:50:48.271Z", "dateUpdated": "2026-04-06T19:48:25.588Z"}, "containers": {"cna": {"title": "Improper Restriction of XML External Entity Reference in Inkscape", "descriptions": [{"lang": "en", "value": "A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags."}], "affected": [{"vendor": "Inkscape", "product": "Inkscape", "versions": [{"version": "1.1", "status": "affected", "lessThan": "1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "cweId": "CWE-611", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/inkscape/inkscape/-/work_items/3557"}, {"url": "https://gitlab.com/inkscape/inkscape/-/merge_requests/5269"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to version 1.3 or above"}], "credits": [{"lang": "en", "value": "VK (previously elttam) https://github.com/me0wday", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-27T14:50:48.271Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T15:12:52.453006Z", "id": "CVE-2026-4980", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:48:25.588Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4980", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T15:12:52.453006Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T19:48:21.311Z"}}], "cna": {"title": "Improper Restriction of XML External Entity Reference in Inkscape", "credits": [{"lang": "en", "type": "finder", "value": "VK (previously elttam) https://github.com/me0wday"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Inkscape", "product": "Inkscape", "versions": [{"status": "affected", "version": "1.1", "lessThan": "1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 1.3 or above"}], "references": [{"url": "https://gitlab.com/inkscape/inkscape/-/work_items/3557"}, {"url": "https://gitlab.com/inkscape/inkscape/-/merge_requests/5269"}], "descriptions": [{"lang": "en", "value": "A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-27T14:50:48.271Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4980", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:48:25.588Z", "dateReserved": "2026-03-27T11:18:24.287Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-03-27T14:50:48.271Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"defaultStatus": "unaffected", "product": "Inkscape", "vendor": "Inkscape", "versions": [{"lessThan": "1.3", "status": "affected", "version": "1.1", "versionType": "semver"}]}], "source": "cve@gitlab.com"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:inkscape:inkscape:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B2DE31D-CEB6-43FC-A40C-141D284CF403", "versionEndExcluding": "1.3", "versionStartIncluding": "1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags."}], "id": "CVE-2026-4980", "lastModified": "2026-06-17T10:57:32.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "cve@gitlab.com", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-4980", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-03-27T15:12:52.453006Z", "version": "2.0.3"}}]}, "published": "2026-03-27T15:17:03.790", "references": [{"source": "cve@gitlab.com", "tags": ["Issue Tracking", "Patch"], "url": "https://gitlab.com/inkscape/inkscape/-/merge_requests/5269"}, {"source": "cve@gitlab.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://gitlab.com/inkscape/inkscape/-/work_items/3557"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "cve@gitlab.com", "type": "Secondary"}]}

{"bugzilla": {"description": "Inkscape: Inkscape: Information disclosure via crafted SVG file with malicious XInclude tags", "id": "2452319", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452319"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-611", "details": ["A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.", "A vulnerability was found in Inkscape due to improper handling of XInclude elements in SVG files. The application processes xi:include directives without restricting access to local resources, allowing external file references such as file:// URIs to be included during document processing. An attacker could exploit this by crafting a malicious SVG file that references sensitive local files. When the file is opened or processed by Inkscape, the contents of the referenced files may be embedded in the output, leading to unauthorized disclosure of local information."], "mitigation": {"lang": "en:us", "value": "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability."}, "name": "CVE-2026-4980", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "inkscape", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "inkscape", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "inkscape:0.92.3/inkscape", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "inkscape1", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "inkscape", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-27T14:50:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4980\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4980\nhttps://gitlab.com/inkscape/inkscape/-/merge_requests/5269\nhttps://gitlab.com/inkscape/inkscape/-/work_items/3557"], "statement": "This vulnerability is rated Moderate severity as even if the remote attacker wants to exploit it; it requires a local user to pass/process a specially crafted SVG file to the Inkscape. The issue arises from unrestricted XInclude processing, which allows external file references to be resolved and included in the output. Successful exploitation can result in disclosure of sensitive local files. The scope is changed (S:C) because the vulnerability allows access to resources or file system outside the intended application boundary. There is no impact on integrity or availability.\n```\nThe vulnerable code was introduced in Inkscape beginning with version 1.1, when XInclude support was added.\nRed Hat Enterprise Linux 6, 7, and 8 ship older versions of Inkscape that do not include XInclude support; therefore, the vulnerable code is not present in these releases.\n```", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1,1.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Inkscape", "source": "cna", "vendor": "Inkscape"}, "product": "inkscape", "vendor": "inkscape"}], "analysis": {"en": {"generated_at": "2026-03-27T16:21:11.288331+00:00", "value": {"mitigation_remediation": ["Upgrade Inkscape to version 1.3 or newer.", "Verify that the installed Inkscape version matches the updated release.", "If an upgrade is not immediately possible, avoid opening SVG files from untrusted sources."], "summary": {"action": "Immediate Patch", "impact": "Local File Disclosure"}, "threat_synthesis": {"affected_systems": "Users running Inkscape versions prior to 1.3, including 1.1 and 1.2, are affected. The vulnerability is specific to the Inkscape application by the Inkscape team. Upgrading to Inkscape 1.3 or later removes the XInclude component that processes malicious xi:include tags, thereby mitigating the vulnerability.", "description_and_impact": "The vulnerability is an XML External Entity (XEE) flaw in the XInclude processing component of Inkscape, enabling an attacker to embed xi:include tags in a crafted SVG file that causes the application to expose local file contents. This flaw permits the attacker to read protected files from the victim\u2019s file system, compromising confidentiality and potentially exposing sensitive data. The weakness is classified as CWE-611, an improper restriction of XML external entity references.", "risk_and_exploitability": "The CVSS base score of 6.3 indicates moderate severity. Although no EPSS score is available, the flaw requires the attacker to supply a malicious SVG file, which the victim must open in Inkscape. Because this attack vector depends on local user interaction and the absence of a remote code execution capability, the likelihood of widespread exploitation remains lower than high-impact vulnerabilities. The vulnerability is not listed in the CISA KEV catalog, and no public proof\u2011of\u2011concept exploits have been reported. Nonetheless, organizations should treat it as a moderate risk and apply the available patch promptly."}}}}, "created": "2026-03-27T20:28:23.514638+00:00", "updated": "2026-03-30T07:01:39.886370+00:00", "vendors": ["inkscape", "inkscape$PRODUCT$inkscape"]}