{"id":"JLSEC-2026-512","details":"A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=\".?../../../../../../../../../../etc/passwd\" in an xi:include element.","modified":"2026-05-19T01:45:05.867662Z","published":"2026-05-19T01:34:38.069Z","upstream":["CVE-2023-38633"],"database_specific":{"license":"CC-BY-4.0","sources":[{"published":"2023-07-22T17:15:09.810Z","html_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38633","url":"https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-38633","imported":"2026-05-19T00:57:42.346Z","database_specific":{"status":"Modified"},"modified":"2024-11-21T08:13:58.380Z","id":"CVE-2023-38633"}]},"references":[{"type":"WEB","url":"http://seclists.org/fulldisclosure/2023/Jul/43"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2023/Jul/43"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/07/27/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/07/27/1"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/09/06/10"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/09/06/10"},{"type":"WEB","url":"https://bugzilla.suse.com/show_bug.cgi?id=1213502"},{"type":"WEB","url":"https://bugzilla.suse.com/show_bug.cgi?id=1213502"},{"type":"WEB","url":"https://gitlab.gnome.org/GNOME/librsvg/-/issues/996"},{"type":"WEB","url":"https://gitlab.gnome.org/GNOME/librsvg/-/issues/996"},{"type":"WEB","url":"https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3"},{"type":"WEB","url":"https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/422NTIHIEBRASIG2DWXYBH4ADYMHY626/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/422NTIHIEBRASIG2DWXYBH4ADYMHY626/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5BCXT5GW6RCL45ZUHUZR4CJG2BAFDVC/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5BCXT5GW6RCL45ZUHUZR4CJG2BAFDVC/"},{"type":"WEB","url":"https://news.ycombinator.com/item?id=37415799"},{"type":"WEB","url":"https://news.ycombinator.com/item?id=37415799"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20230831-0011/"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20230831-0011/"},{"type":"WEB","url":"https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/"},{"type":"WEB","url":"https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/"},{"type":"WEB","url":"https://www.debian.org/security/2023/dsa-5484"},{"type":"WEB","url":"https://www.debian.org/security/2023/dsa-5484"}],"affected":[{"package":{"name":"Librsvg_jll","ecosystem":"Julia","purl":"pkg:julia/Librsvg_jll?uuid=925c91fb-5dd6-59dd-8e8c-345e74382d89"},"ranges":[{"type":"SEMVER","events":[{"introduced":"2.52.4+0"},{"fixed":"2.54.7+0"}]}],"database_specific":{"source":"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-512.json"}}],"schema_version":"1.7.5"}