Skip to main content

PlantUML Macro CVE-2026-42140

| EUVDEUVD-2026-27073 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-04 GitHub_M GHSA-42fc-7w97-8vrc
4.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Patch available
May 04, 2026 - 19:17 EUVD
Source Code Evidence Fetched
May 04, 2026 - 18:03 vuln.today
Analysis Generated
May 04, 2026 - 18:03 vuln.today
Analysis Generated
May 04, 2026 - 17:45 vuln.today
CVE Published
May 04, 2026 - 17:37 nvd
MEDIUM 4.4

DescriptionGitHub Advisory

PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram. This issue has been patched in version 2.4.1.

AnalysisAI

Server-Side Request Forgery (SSRF) in PlantUML Macro for XWiki prior to version 2.4.1 allows authenticated users with UI interaction to specify arbitrary PlantUML servers via the server parameter without validation. An attacker can redirect the XWiki server to connect to internal IP addresses or malicious external URLs, enabling reconnaissance of internal infrastructure or attacks on internal services. The vulnerability requires authenticated access and user interaction but operates across scope boundaries (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C). Vendor-released patch available in version 2.4.1.

Technical ContextAI

The PlantUML Macro is an XWiki extension (CPE: cpe:2.3:a:xwiki-contrib:macro-plantuml) that allows wiki page authors to embed UML diagram definitions in a simple textual format and have them rendered as images via PlantUML, an open-source diagramming tool. The macro accepts a server parameter to specify an alternative PlantUML rendering server (instead of the public default). Prior to version 2.4.1, the macro passed user-supplied server URLs directly to HTTP requests without validating that the target domain was legitimate or trustworthy. CWE-918 (Server-Side Request Forgery) describes exactly this flaw: application-initiated outbound requests to URLs controlled or influenced by untrusted input. The fix implements URLSecurityManager from XWiki Platform to enforce a trusted domain whitelist, adding URL parsing and validation via isDomainTrusted() before any outbound connection attempt.

RemediationAI

Upgrade PlantUML Macro to version 2.4.1 or later. This patched version enforces URL validation via XWiki Platform's URLSecurityManager, rejecting any server parameter value not in the configured trusted domain list. If immediate upgrade is not possible, implement network-level compensating controls: restrict outbound HTTP/HTTPS from the XWiki server to a whitelist of legitimate PlantUML server endpoints (e.g., only to the official PlantUML server or designated internal rendering server). Alternatively, disable the server parameter entirely by modifying wiki configuration or using macro parameter restrictions if XWiki supports this. Audit wiki pages for existing uses of the server parameter and verify they reference only legitimate servers. Monitor XWiki server outbound connections for suspicious destinations (internal IPs, private ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or known malicious hosts). References: GitHub Security Advisory at https://github.com/xwiki-contrib/macro-plantuml/security/advisories/GHSA-42fc-7w97-8vrc and XWiki JIRA PLANTUML-25 at https://jira.xwiki.org/browse/PLANTUML-25.

Share

CVE-2026-42140 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy