CVE-2026-31899

HIGH

CairoSVG < 2.9.0 - Denial of Service via Recursive <use> Element Amplification

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-31899. PoCs published by XiaomingX, SnailSploit.

AI-analyzed exploit summary This repository provides a detailed technical analysis and proof-of-concept for CVE-2026-31899, an exponential DoS vulnerability in CairoSVG caused by uncontrolled recursion in the handling of SVG <use> elements. The analysis includes a breakdown of the vulnerability mechanics, a functional PoC SVG payload, and remediation guidance.

Description

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.

Exploits (2)

github WRITEUP 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-31899

View Code ZIP pw:eip

This repository provides a detailed technical analysis and proof-of-concept for CVE-2026-31899, an exponential DoS vulnerability in CairoSVG caused by uncontrolled recursion in the handling of SVG <use> elements. The analysis includes a breakdown of the vulnerability mechanics, a functional PoC SVG payload, and remediation guidance.

Classification

Writeup 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: CairoSVG < 2.9.0

No auth needed

Prerequisites: CairoSVG < 2.9.0 installed · ability to process SVG files

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Mar 16, 2026 Full analysis →

nomisec WRITEUP

by SnailSploit · poc

https://github.com/SnailSploit/CVE-2026-31899

View Code ZIP pw:eip

This repository provides a detailed technical analysis and proof-of-concept for CVE-2026-31899, an exponential DoS vulnerability in CairoSVG caused by recursive <use> element amplification. It includes a functional SVG payload and reproduction steps.

Classification

Writeup 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: CairoSVG < 2.9.0

No auth needed

Prerequisites: CairoSVG installed · ability to process SVG files

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Mar 15, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c

Patch x_refsource_misc

https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 12.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-674

Status published

Products (3)

courtbouillon/cairosvg < 2.9.0

Kozea/CairoSVG < 2.9.0

pypi/CairoSVG 0 - 2.9.0PyPI

Published Mar 13, 2026

Tracked Since Mar 14, 2026