Inkscape (Vector Graphics Editor), Local File Disclosure via XInclude, CVE-2026-4980 (Medium)

Listen to this Post

How CVE-2026-4980 Works

The vulnerability resides in how Inkscape versions 1.1 through 1.2.999 process the XInclude standard within SVG files. XInclude is an XML feature that allows an XML document to include other XML or text resources. The Inkscape SVG parser does not properly validate or restrict external references processed through XInclude directives. When the application encounters a `` tag with a `href` attribute pointing to a local resource, it follows the reference. An attacker can embed a malicious tag, such as <xi:include href="file:///etc/passwd"/>. When the user opens the crafted SVG file, Inkscape’s XInclude handler resolves the URI, reads the targeted local file, and embeds its contents into the document’s representation. This bypasses the application’s intended sandbox for file handling. The component fails to enforce proper URI scheme restrictions or path sanitization. The attack vector is local, requiring user interaction for file opening. The vulnerability is classified under CWE-611: Improper Restriction of XML External Entity Reference. The impact is high for confidentiality, as it can disclose sensitive system files, but no direct integrity or availability loss occurs. The vulnerability was privately reported to the Inkscape development team and fixed in version 1.3 without prior public disclosure.

DailyCVE Form

Platform: Inkscape
Version: 1.1 before 1.3
Vulnerability: Local file disclosure
Severity: Medium (CVSS 6.3)
Date: March 27, 2026

Prediction: Patch already available

What Undercode Say: (Analytics)

Check if Inkscape version is affected
inkscape --version
Search for exploitable patterns in SVG files
grep -r 'xi:include' /path/to/svg/files
MITRE ATT&CK mapping for T1005 (Data from Local System)
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Exploit

A remote attacker crafts a malicious SVG file containing the following tag:

<xi:include href="file:///etc/passwd" parse="text" />

The attacker lures a user into opening the SVG file with Inkscape 1.1–1.2.999. Inkscape processes the XInclude tag, reads the local `/etc/passwd` file, and displays its contents, exposing sensitive local information.

Protection from this CVE

  • Immediately upgrade to Inkscape version 1.3 or later.
  • As a temporary measure, avoid opening untrusted SVG files from unknown sources.
  • Disable XInclude processing if a configuration option exists in the specific build.

Impact

  • Confidentiality (High): Attackers can read any local files the Inkscape process has access to.
  • Integrity (None): No unauthorized modification of data.
  • Availability (None): Application remains functional during exploitation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

Concrete CMS, CSRF Token Validation Missing, CVE-2026-8428 (High)

Scroll to Top