convert-svg-core is vulnerable to arbitrary code injection. The vulnerability exists because the library does not properly remove the malicious attributes from the SVG element before being rendered, allowing an attacker to read files from the file system and show the file content as a PNG file by providing a maliciously crafted SVG file.