Fluid Attacks Database

Description

A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel9	inkscape	-	-
debian 12	inkscape	=1.2.2-2 \|\| =1.2.2-3 \|\| =1.2.2-4 \|\| =1.2.2-6 \|\| =1.2.2-7 \|\| =1.2.2-8 \|\| =1.3+ds-1 \|\| =1.3.2-1 \|\| =1.4-1 \|\| =1.4-2 \|\| =1.4-3 \|\| =1.4-4 \|\| =1.4-5 \|\| =1.4-6 \|\| =1.4.2-1 \|\| =1.4.2-2 \|\| =1.4.2-3	-
debian 13	inkscape	>=0 <1.4-4	1.4-4
debian 14	inkscape	>=0 <1.4-4	1.4-4

Aliases

1. CVE-2026-49802. NVD-2026-49803. OSV-2026-49804. OSV-DEBIAN-2026-49805. SECURITY-TRACKER-CVE-2026-4980

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.