SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29074.json
https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673
https://bugzilla.redhat.com/show_bug.cgi?id=2445132
https://access.redhat.com/security/cve/CVE-2026-29074
https://access.redhat.com/errata/RHSA-2026:9742
https://access.redhat.com/errata/RHSA-2026:8493
https://access.redhat.com/errata/RHSA-2026:8491
https://access.redhat.com/errata/RHSA-2026:8490
https://access.redhat.com/errata/RHSA-2026:8484
https://access.redhat.com/errata/RHSA-2026:8483
https://access.redhat.com/errata/RHSA-2026:7110
https://access.redhat.com/errata/RHSA-2026:6926
https://access.redhat.com/errata/RHSA-2026:6568
https://access.redhat.com/errata/RHSA-2026:6309
https://access.redhat.com/errata/RHSA-2026:6277
https://access.redhat.com/errata/RHSA-2026:5807
https://access.redhat.com/errata/RHSA-2026:24977
https://access.redhat.com/errata/RHSA-2026:22465
https://access.redhat.com/errata/RHSA-2026:21772
https://access.redhat.com/errata/RHSA-2026:21017
https://access.redhat.com/errata/RHSA-2026:19712
https://access.redhat.com/errata/RHSA-2026:19375
https://access.redhat.com/errata/RHSA-2026:13826
https://access.redhat.com/errata/RHSA-2026:13553
https://access.redhat.com/errata/RHSA-2026:13545
https://access.redhat.com/errata/RHSA-2026:13512