CVE-2026-29074— SVGO: DoS through entity expansion in DOCTYPE (Billion Laughs)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-29074
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SVGO: DoS through entity expansion in DOCTYPE (Billion Laughs)
Source: NVD (National Vulnerability Database)
Vulnerability Description
SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
DTD中递归实体索引的不恰当限制(XML实体扩展)
Source: NVD (National Vulnerability Database)
Vulnerability Title
SVGO 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SVGO是svg开源的一个SVG文件优化工具。 SVGO 2.1.0至2.8.1之前版本、3.0.0至3.3.3之前版本和4.0.1之前版本存在安全漏洞,该漏洞源于处理XML自定义实体时未防范实体扩展,可能导致拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-29074
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-29074
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same weakness: CWE-776
- CVE-2026-40260
pypdf: Manipulated XMP metadata entity declarations can exha - CVE-2026-33036
fast-xml-parser affected by numeric entity expansion bypassi - CVE-2026-27807
MarkUs: YAML alias (‘billion laughs’) DoS in config upload - CVE-2026-26278
fast-xml-parser affected by DoS through entity expansion in - CVE-2025-20369
Extensible Markup Language (XML) External Entity Injection (
V. Comments for CVE-2026-29074
No comments yet