Severity by source
AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionGitHub Advisory
PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram. This issue has been patched in version 2.4.1.
AnalysisAI
Server-Side Request Forgery (SSRF) in PlantUML Macro for XWiki prior to version 2.4.1 allows authenticated users with UI interaction to specify arbitrary PlantUML servers via the server parameter without validation. An attacker can redirect the XWiki server to connect to internal IP addresses or malicious external URLs, enabling reconnaissance of internal infrastructure or attacks on internal services. The vulnerability requires authenticated access and user interaction but operates across scope boundaries (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C). Vendor-released patch available in version 2.4.1.
Technical ContextAI
The PlantUML Macro is an XWiki extension (CPE: cpe:2.3:a:xwiki-contrib:macro-plantuml) that allows wiki page authors to embed UML diagram definitions in a simple textual format and have them rendered as images via PlantUML, an open-source diagramming tool. The macro accepts a server parameter to specify an alternative PlantUML rendering server (instead of the public default). Prior to version 2.4.1, the macro passed user-supplied server URLs directly to HTTP requests without validating that the target domain was legitimate or trustworthy. CWE-918 (Server-Side Request Forgery) describes exactly this flaw: application-initiated outbound requests to URLs controlled or influenced by untrusted input. The fix implements URLSecurityManager from XWiki Platform to enforce a trusted domain whitelist, adding URL parsing and validation via isDomainTrusted() before any outbound connection attempt.
RemediationAI
Upgrade PlantUML Macro to version 2.4.1 or later. This patched version enforces URL validation via XWiki Platform's URLSecurityManager, rejecting any server parameter value not in the configured trusted domain list. If immediate upgrade is not possible, implement network-level compensating controls: restrict outbound HTTP/HTTPS from the XWiki server to a whitelist of legitimate PlantUML server endpoints (e.g., only to the official PlantUML server or designated internal rendering server). Alternatively, disable the server parameter entirely by modifying wiki configuration or using macro parameter restrictions if XWiki supports this. Audit wiki pages for existing uses of the server parameter and verify they reference only legitimate servers. Monitor XWiki server outbound connections for suspicious destinations (internal IPs, private ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or known malicious hosts). References: GitHub Security Advisory at https://github.com/xwiki-contrib/macro-plantuml/security/advisories/GHSA-42fc-7w97-8vrc and XWiki JIRA PLANTUML-25 at https://jira.xwiki.org/browse/PLANTUML-25.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27073
GHSA-42fc-7w97-8vrc