The vulnerability is an XML External Entity (XEE) flaw in the XInclude processing component of Inkscape, enabling an attacker to embed xi:include tags in a crafted SVG file that causes the application to expose local file contents. This flaw permits the attacker to read protected files from the victim’s file system, compromising confidentiality and potentially exposing sensitive data. The weakness is classified as CWE-611, an improper restriction of XML external entity references.

Users running Inkscape versions prior to 1.3, including 1.1 and 1.2, are affected. The vulnerability is specific to the Inkscape application by the Inkscape team. Upgrading to Inkscape 1.3 or later removes the XInclude component that processes malicious xi:include tags, thereby mitigating the vulnerability.

The CVSS base score of 6.3 indicates moderate severity. Although no EPSS score is available, the flaw requires the attacker to supply a malicious SVG file, which the victim must open in Inkscape. Because this attack vector depends on local user interaction and the absence of a remote code execution capability, the likelihood of widespread exploitation remains lower than high-impact vulnerabilities. The vulnerability is not listed in the CISA KEV catalog, and no public proof‑of‑concept exploits have been reported. Nonetheless, organizations should treat it as a moderate risk and apply the available patch promptly.