High severityNVD Advisory· Published Mar 13, 2026· Updated Mar 16, 2026
CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification
CVE-2026-31899
Description
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
CairoSVGPyPI | < 2.9.0 | 2.9.0 |
Affected products
7- ghsa-coords6 versionspkg:pypi/cairosvgpkg:rpm/opensuse/python-CairoSVG&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-CairoSVG&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-CairoSVG&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP7pkg:rpm/suse/python-CairoSVG&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-CairoSVG&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 2.9.0+ 5 more
- (no CPE)range: < 2.9.0
- (no CPE)range: < 2.7.1-150400.9.6.1
- (no CPE)range: < 2.9.0-1.1
- (no CPE)range: < 2.7.1-150400.9.6.1
- (no CPE)range: < 2.7.1-160000.3.1
- (no CPE)range: < 2.7.1-160000.3.1
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-f38f-5xpm-9r7cghsaADVISORY
- github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bfghsax_refsource_MISCWEB
- github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.