Executive Summary

CVE-2026-4980 is a local file disclosure vulnerability in Inkscape versions 1.1 before 1.3. It arises from the XInclude processing component that allows SVG files to include external XML content. An attacker can craft a malicious SVG file containing xi:include tags with file URIs to read sensitive local files on the system.

When Inkscape processes such a crafted SVG file, especially via command-line operations like converting SVG to PDF, it can embed the contents of local files (e.g., /etc/passwd) into the output, leading to unauthorized local file inclusion.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to leakage of private and sensitive information stored in local files on the system where Inkscape is run. An attacker who can supply a crafted SVG file can cause Inkscape to disclose contents of local files by embedding them into exported documents.

Such unauthorized disclosure can expose credentials, configuration files, or other sensitive data, potentially compromising system security or privacy depending on the context in which Inkscape is used.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing if Inkscape processes SVG files containing malicious <xi:include> tags that reference local files. Specifically, you can create a crafted SVG file that includes a local file using the <xi:include> tag with a file:// URI (e.g., referencing /etc/passwd).

A practical detection method is to use the Inkscape command-line interface to convert such a crafted SVG file to PDF and then check if the contents of the referenced local file appear in the output PDF.

Example command to test the vulnerability:

• inkscape test.svg --export-type=pdf --export-filename=output.pdf

After running this command, extract and inspect the text from output.pdf to see if it contains the contents of the local file referenced in the SVG.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling XInclude processing in Inkscape to prevent local file disclosure via crafted SVG files.

The patch under review disables XInclude by default for general SVG files, restricting its use only to shortcut keys files, which aligns with the original intended functionality.

If you require XInclude functionality, preprocess XInclude tags externally before loading SVG files into Inkscape, as Inkscape does not preserve XInclude tags when editing and saving.

Additional suggested mitigations include implementing directory or file whitelisting to restrict which files can be included.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized local file disclosure through crafted SVG files, potentially leading to leakage of private information or credentials depending on the execution context.

Such unauthorized disclosure of sensitive or private data can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or leaks.

Therefore, exploitation of this vulnerability could result in violations of these regulations due to exposure of confidential data.

Useful 0 Not Useful 0