What is CVE-2026-31899?

CVE-2026-31899 is a high-severity vulnerability in Kozea Cairosvg, classified under Uncontrolled Recursion. CVSS score: 7.5/10. Published 2026-03-13.

How severe is CVE-2026-31899?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2026-31899 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Kozea Cairosvg

CVE-2026-31899

CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive <use> element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.

EPSS: 0.000 (12.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Kozea Cairosvg — versions < 2.9.0

Weakness classification (CWE)

CWE-674 — Uncontrolled Recursion

Public proof-of-concept exploits

SnailSploit/CVE-2026-31899

References

https://github.com/Kozea/CairoSVG/security/advisories/GHSA-f38f-5xpm-9r7c (x_refsource_CONFIRM)
https://github.com/Kozea/CairoSVG/commit/6dde8685ed3f19837767bce7a13a5491e3d0e0bf (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-31899?: CVE-2026-31899 is a high-severity vulnerability in Kozea Cairosvg, classified under Uncontrolled Recursion. CVSS score: 7.5/10. Published 2026-03-13.
How severe is CVE-2026-31899?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2026-31899 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.