CVE-2026-4980 Inkscape CVE debrief

Who should care

Organizations and individuals using Inkscape versions 1.1 through 1.2.x for SVG editing, particularly those handling SVG files from untrusted sources. Security teams responsible for endpoint protection and software asset management should prioritize patching.

Technical summary

The vulnerability resides in Inkscape's XInclude processing implementation. When parsing SVG files containing xi:include elements, the application fails to properly restrict XML external entity resolution, allowing inclusion of arbitrary local files. The attack requires user interaction (opening a malicious SVG file) but can result in high confidentiality impact through local file disclosure. The attack surface is local (AV:L) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). Scope is changed (S:C) due to the security impact extending beyond the vulnerable component to the underlying file system.

Defensive priority

medium

Recommended defensive actions

• Upgrade Inkscape to version 1.3 or later to remediate this vulnerability
• Review and apply the patch from the vendor's merge request if immediate upgrade is not feasible
• Implement security awareness training for users regarding risks of opening untrusted SVG files from unknown sources
• Consider disabling automatic file opening for SVG attachments in email clients and web browsers
• Monitor for suspicious SVG file handling in endpoint detection and response (EDR) solutions

Evidence notes

Vulnerability affects Inkscape versions 1.1 before 1.3. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N. CPE criteria confirms version range. Patch available in GitLab merge request 5269. Exploit details tracked in GitLab work item 3557.

Official resources