CVE-2026-29074

HighPublic PoC

Published: 06 March 2026

Published

06 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0008 23.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29074 is a high-severity XML Entity Expansion (CWE-776) vulnerability in Svgo Svgo. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote unauthenticated exploitation of public-facing apps/services processing SVGs via SVGO (T1190) directly triggers application/system DoS through XML entity expansion and resource exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities,…

without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.

Deeper analysisAI

CVE-2026-29074 is a denial-of-service vulnerability in SVGO, a Node.js library and command-line application for optimizing SVG files. Published on 2026-03-06, it affects versions from 2.1.0 to before 2.8.1, from 3.0.0 to before 3.3.3, and before 4.0.1. The flaw stems from SVGO accepting XML with custom entities without protections against entity expansion or recursion, enabling a small 811-byte XML file to trigger excessive memory usage. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-776.

Any unauthenticated remote attacker can exploit this vulnerability by supplying a malicious SVG file to an application or service using a vulnerable SVGO version. No user interaction or privileges are required, and exploitation is straightforward due to low attack complexity. Successful exploitation stalls the targeted application and can crash the Node.js process via a JavaScript heap out of memory error, resulting in high availability impact without affecting confidentiality or integrity.

The vulnerability has been patched in SVGO versions 2.8.1, 3.3.3, and 4.0.1. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673.

Details

CWE(s): CWE-776

Affected Products

svgo

2.1.0 — 2.8.1 · 3.0.0 — 3.3.3 · 4.0.0 — 4.0.1

CVEs Like This One

CVE-2026-33036Shared CWE-776

CVE-2026-26278Shared CWE-776

References

https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com