Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-4980

Опубликовано: 27 мар. 2026
Источник: redhat
CVSS3: 6.3
EPSS Низкий

Описание

A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.

A vulnerability was found in Inkscape due to improper handling of XInclude elements in SVG files. The application processes xi:include directives without restricting access to local resources, allowing external file references such as file:// URIs to be included during document processing. An attacker could exploit this by crafting a malicious SVG file that references sensitive local files. When the file is opened or processed by Inkscape, the contents of the referenced files may be embedded in the output, leading to unauthorized disclosure of local information.

Отчет

This vulnerability is rated Moderate severity as even if the remote attacker wants to exploit it; it requires a local user to pass/process a specially crafted SVG file to the Inkscape. The issue arises from unrestricted XInclude processing, which allows external file references to be resolved and included in the output. Successful exploitation can result in disclosure of sensitive local files. The scope is changed (S:C) because the vulnerability allows access to resources or file system outside the intended application boundary. There is no impact on integrity or availability.

The vulnerable code was introduced in Inkscape beginning with version 1.1, when XInclude support was added. Red Hat Enterprise Linux 6, 7, and 8 ship older versions of Inkscape that do not include XInclude support; therefore, the vulnerable code is not present in these releases.

Меры по смягчению последствий

Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6inkscapeNot affected
Red Hat Enterprise Linux 7inkscapeNot affected
Red Hat Enterprise Linux 8inkscape:0.92.3/inkscapeNot affected
Red Hat Enterprise Linux 8inkscape1Not affected
Red Hat Enterprise Linux 9inkscapeFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-611
https://bugzilla.redhat.com/show_bug.cgi?id=2452319Inkscape: Inkscape: Information disclosure via crafted SVG file with malicious XInclude tags

EPSS

Процентиль: 8%
0.00027
Низкий

6.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2026-4980

CVSS3: 6.3
ubuntu
12 дней назад

A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.

nvd логотип

CVE-2026-4980

CVSS3: 6.3
nvd
12 дней назад

A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.

debian логотип

CVE-2026-4980

CVSS3: 6.3
debian
12 дней назад

A local file disclosure vulnerability in the XInclude processing compo ...

github логотип

GHSA-8r7r-hrcf-cgvw

CVSS3: 6.3
github
12 дней назад

A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.

EPSS

Процентиль: 8%
0.00027
Низкий

6.3 Medium

CVSS3