CVE-2026-29074

SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29074.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-776"
    ]
}

References

Affected packages

Git / github.com/svg/svgo

Affected ranges

Type

GIT

Repo

https://github.com/svg/svgo

Events

Introduced

355fb1ff24d2b90c0376e8d82230cbad6395907b

Fixed

f706b07a77de1f60a3e2c3f7bfd303529a4eb695

Database specific

{
    "versions": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.8.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/svg/svgo

Events

Introduced

a40fa216b67d297e84ab8017bf4b45b4a0001223

Fixed

bbab162534d89654ac51c30dd6e62d7163b48a5e

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.3.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/svg/svgo

Events

Introduced

Last affected

71e1f05a7efdb667ff61df53f621e8f3e48076fc

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "= 4.0.0"
        }
    ]
}

Affected versions

0.*

0.7.0

1.*

1.2.0

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.7.1

v0.7.2

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.1.0

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v1.3.1

v1.3.2

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.1.0

v2.2.0

v2.2.1

v2.2.2

v2.3.0

v2.3.1

v2.4.0

v2.5.0

v2.6.0

v2.6.1

v2.7.0

v2.8.0

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.1.0

v3.2.0

v3.3.0

v3.3.1

v4.*

v4.0.0

v4.0.0-rc.0

v4.0.0-rc.1

v4.0.0-rc.2

v4.0.0-rc.4

v4.0.0-rc.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29074.json"