Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-29074

Опубликовано: 06 мар. 2026
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

A flaw was found in SVGO, an SVG (Scalable Vector Graphics) Optimizer. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by submitting a specially crafted XML file. The application's failure to properly guard against XML entity expansion or recursion can lead to the Node.js process consuming excessive memory and crashing.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Cryostat 4io.cryostat-cryostatAffected
Gatekeeper 3gatekeeper/gatekeeper-rhel9Affected
Multicluster Engine for Kubernetesmulticluster-engine/console-mce-rhel9Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-api-rhel8Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-db-migration-rhel8Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-ui-rhel8Affected
OpenShift Pipelinesopenshift-pipelines/pipelines-hub-ui-rhel9Affected
OpenShift Service Mesh 2openshift-service-mesh/kiali-rhel8Affected
OpenShift Service Mesh 3openshift-service-mesh/kiali-operator-bundleAffected
OpenShift Service Mesh 3openshift-service-mesh/kiali-ossmc-rhel9Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-776
https://bugzilla.redhat.com/show_bug.cgi?id=2445132svgo: SVGO: Denial of Service via XML entity expansion

EPSS

Процентиль: 17%
0.00055
Низкий

7.5 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2026-29074

CVSS3: 7.5
nvd
21 день назад

SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.

debian логотип

CVE-2026-29074

CVSS3: 7.5
debian
21 день назад

SVGO, short for SVG Optimizer, is a Node.js library and command-line a ...

github логотип

GHSA-xpqw-6gx7-v673

CVSS3: 7.5
github
23 дня назад

SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)

EPSS

Процентиль: 17%
0.00055
Низкий

7.5 High

CVSS3