{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4980", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-03-27T11:18:24.287Z", "datePublished": "2026-03-27T14:50:48.271Z", "dateUpdated": "2026-03-27T14:50:48.271Z"}, "containers": {"cna": {"title": "Improper Restriction of XML External Entity Reference in Inkscape", "descriptions": [{"lang": "en", "value": "A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags."}], "affected": [{"vendor": "Inkscape", "product": "Inkscape", "versions": [{"version": "1.1", "status": "affected", "lessThan": "1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "cweId": "CWE-611", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/inkscape/inkscape/-/work_items/3557"}, {"url": "https://gitlab.com/inkscape/inkscape/-/merge_requests/5269"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to version 1.3 or above"}], "credits": [{"lang": "en", "value": "VK (previously elttam) https://github.com/me0wday", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-27T14:50:48.271Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags."}], "id": "CVE-2026-4980", "lastModified": "2026-03-27T15:17:03.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-03-27T15:17:03.790", "references": [{"source": "cve@gitlab.com", "url": "https://gitlab.com/inkscape/inkscape/-/merge_requests/5269"}, {"source": "cve@gitlab.com", "url": "https://gitlab.com/inkscape/inkscape/-/work_items/3557"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T16:21:11.288331+00:00", "value": {"mitigation_remediation": ["Upgrade Inkscape to version 1.3 or newer.", "Verify that the installed Inkscape version matches the updated release.", "If an upgrade is not immediately possible, avoid opening SVG files from untrusted sources."], "summary": {"action": "Immediate Patch", "impact": "Local File Disclosure"}, "threat_synthesis": {"affected_systems": "Users running Inkscape versions prior to 1.3, including 1.1 and 1.2, are affected. The vulnerability is specific to the Inkscape application by the Inkscape team. Upgrading to Inkscape 1.3 or later removes the XInclude component that processes malicious xi:include tags, thereby mitigating the vulnerability.", "description_and_impact": "The vulnerability is an XML External Entity (XEE) flaw in the XInclude processing component of Inkscape, enabling an attacker to embed xi:include tags in a crafted SVG file that causes the application to expose local file contents. This flaw permits the attacker to read protected files from the victim\u2019s file system, compromising confidentiality and potentially exposing sensitive data. The weakness is classified as CWE-611, an improper restriction of XML external entity references.", "risk_and_exploitability": "The CVSS base score of 6.3 indicates moderate severity. Although no EPSS score is available, the flaw requires the attacker to supply a malicious SVG file, which the victim must open in Inkscape. Because this attack vector depends on local user interaction and the absence of a remote code execution capability, the likelihood of widespread exploitation remains lower than high-impact vulnerabilities. The vulnerability is not listed in the CISA KEV catalog, and no public proof\u2011of\u2011concept exploits have been reported. Nonetheless, organizations should treat it as a moderate risk and apply the available patch promptly."}}}}, "created": "2026-03-27T20:28:23.514638+00:00", "updated": "2026-03-27T20:28:23.514670+00:00", "vendors": []}