A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files , as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element