Aggregates CVE and security vulnerability intelligence across all inkscape-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk xxe, vendor risk buffer overflow, and vendor risk memory corruption and related problems; some flaws may lead to vendor impact application crash and vendor impact memory corruption.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-4980 | A local file disclosure vulnerability in the XInclude processing component of Inkscape 1.1 before 1.3 allows a remote attacker to read local files via a crafted SVG file containing malicious xi:include tags. | [email protected] | 6.3 | 0.03% | 2026-03-27 | 2026-05-26 |
| CVE-2021-42704 | Inkscape version 0.91 is vulnerable to an out-of-bounds write, which may allow an attacker to arbitrary execute code. | [email protected] | 7.8 | 0.39% | 2022-05-18 | 2024-11-21 |
| CVE-2021-42702 | Inkscape version 0.91 can access an uninitialized pointer, which may allow an attacker to have access to unauthorized information. | [email protected] | 3.3 | 0.16% | 2022-05-18 | 2024-11-21 |
| CVE-2021-42700 | Inkscape 0.91 is vulnerable to an out-of-bounds read, which may allow an attacker to have access to unauthorized information. | [email protected] | 3.3 | 0.16% | 2022-05-18 | 2024-11-21 |
| CVE-2012-6076 | Inkscape before 0.48.4 reads .eps files from /tmp instead of the current directory, which might cause Inkspace to process unintended files, allow local users to obtain sensitive information, and possibly have other unspecified impacts. | [email protected] | 4.4 | 0.06% | 2013-03-12 | 2026-04-29 |
| CVE-2012-5656 | The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack. | [email protected] | 5.5 | 0.10% | 2013-01-18 | 2026-04-29 |
| CVE-2007-1464 | Format string vulnerability in the whiteboard Jabber protocol in Inkscape before 0.45.1 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors. | [email protected] | 6.8 | 6.96% | 2007-03-21 | 2026-04-23 |
| CVE-2007-1463 | Format string vulnerability in Inkscape before 0.45.1 allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a URI, which is not properly handled by certain dialogs. | [email protected] | 6.8 | 16.55% | 2007-03-21 | 2026-04-23 |
| CVE-2005-3885 | The ps2epsi extension shell script (ps2epsi.sh) in Inkscape before 0.41 allows local users to overwrite arbitrary files via a symlink attack on the tmpepsifile.epsi temporary file. | [email protected] | 2.1 | 0.08% | 2005-11-29 | 2026-04-16 |
| CVE-2005-3737 | Buffer overflow in the SVG importer (style.cpp) of inkscape 0.41 through 0.42.2 might allow remote attackers to execute arbitrary code via a SVG file with long CSS style property values. | [email protected] | 5.1 | 28.06% | 2005-11-22 | 2026-04-16 |