CVE-2026-31899

CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification

Description

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.

INFO

Published Date :

2026-03-13T19:38:43.990Z

Last Modified :

2026-03-13T19:38:43.990Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-31899 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31899.

URL	Resource
https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf
https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact