CVE-2026-29074

high

Description

SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.

References

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29074.json

https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673

https://bugzilla.redhat.com/show_bug.cgi?id=2445132

https://access.redhat.com/security/cve/CVE-2026-29074

https://access.redhat.com/errata/RHSA-2026:9742

https://access.redhat.com/errata/RHSA-2026:8493

https://access.redhat.com/errata/RHSA-2026:8491

https://access.redhat.com/errata/RHSA-2026:8490

https://access.redhat.com/errata/RHSA-2026:8484

https://access.redhat.com/errata/RHSA-2026:8483

https://access.redhat.com/errata/RHSA-2026:7110

https://access.redhat.com/errata/RHSA-2026:6926

https://access.redhat.com/errata/RHSA-2026:6568

https://access.redhat.com/errata/RHSA-2026:6309

https://access.redhat.com/errata/RHSA-2026:6277

https://access.redhat.com/errata/RHSA-2026:5807

https://access.redhat.com/errata/RHSA-2026:24977

https://access.redhat.com/errata/RHSA-2026:22465

https://access.redhat.com/errata/RHSA-2026:21772

https://access.redhat.com/errata/RHSA-2026:21017

https://access.redhat.com/errata/RHSA-2026:19712

https://access.redhat.com/errata/RHSA-2026:19375

https://access.redhat.com/errata/RHSA-2026:13826

https://access.redhat.com/errata/RHSA-2026:13553

https://access.redhat.com/errata/RHSA-2026:13545

https://access.redhat.com/errata/RHSA-2026:13512

https://access.redhat.com/errata/RHSA-2026:11916

https://access.redhat.com/errata/RHSA-2026:11856

Details

Source: Mitre, NVD

Published: 2026-03-06

Updated: 2026-07-10

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.0004