CVE-2026-31899

HIGH

CairoSVG - DoS

Title source: llm

Description

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.

Exploits (2)

github WRITEUP 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-31899
nomisec WRITEUP
by SnailSploit · poc
https://github.com/SnailSploit/CVE-2026-31899

References (2)

Scores

CVSS v3 7.5
EPSS 0.0004
EPSS Percentile 11.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-674
Status published
Products (3)
courtbouillon/cairosvg < 2.9.0
Kozea/CairoSVG < 2.9.0
pypi/CairoSVG 0 - 2.9.0PyPI
Published Mar 13, 2026
Tracked Since Mar 14, 2026