Skip to main content

draw.io CVE-2026-46642

| EUVDEUVD-2026-36077 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 GitHub_M
6.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 19:05 vuln.today
Analysis Generated
Jun 10, 2026 - 19:05 vuln.today

DescriptionCVE.org

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected - which import does automatically. This issue has been patched in version 29.7.12.

AnalysisAI

Stored cross-site scripting in draw.io prior to version 29.7.12 allows arbitrary JavaScript execution in the editor's origin when a victim opens a crafted .drawio file. The flaw bypasses the existing label sanitizer entirely because it resides in a separate, unsanitized code path - the Text Format panel's feature-detection routine - which assigns raw cell label content directly to a detached DOM element's innerHTML. Exploitation is automatic upon file import since draw.io selects cells programmatically during that process, requiring no additional user interaction beyond opening the file. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

draw.io (CPE: cpe:2.3:a:jgraph:drawio:*:*:*:*:*:*:*:*) is a browser-based diagramming and whiteboarding application by JGraph. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), specifically a DOM-based XSS variant. The application correctly sanitizes cell labels on the rendering code path, but a second, independent code path in the Text Format panel's feature-detection routine reads raw cell label values and assigns them to a detached DOM element via innerHTML without sanitization. A critical browser behavior is exploited here: even elements detached from the live document tree still trigger event handlers such as onerror when image loads fail. An attacker payload of <img src=x onerror=...> placed in any cell label therefore executes its JavaScript handler the moment the detached element is created, before any rendering sanitizer has a chance to process the content. Because file import automatically selects cells, this fires synchronously during the open operation.

RemediationAI

Upgrade draw.io to version 29.7.12 or later, which is confirmed as the vendor-released fix per the GitHub release at https://github.com/jgraph/drawio/releases/tag/v29.7.12 and the security advisory at https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf. For organizations unable to patch immediately, restrict access to the draw.io instance to trusted internal users only and implement strict file-sharing policies prohibiting the ingestion of .drawio files from unverified or external sources - this reduces but does not eliminate the attack surface, as insider threat or compromised accounts remain a vector. Disabling the Text Format panel entirely, if supported by the deployment configuration, would remove the vulnerable code path, though this carries the trade-off of losing text formatting functionality. Content Security Policy (CSP) headers enforcing script-src restrictions on the draw.io origin can limit the impact of successful XSS payloads by blocking inline script execution or restricting exfiltration endpoints, but CSP alone does not prevent the initial code execution in all configurations.

More in Drawio

View all
CVE-2023-3975 CRITICAL POC
9.8 Jul 27

OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0. Rated critical severity (CVSS 9.8), this vulner

CVE-2022-1575 CRITICAL POC
9.6 May 05

Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. Rated critical sev

CVE-2022-1727 HIGH POC
8.8 May 18

Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6. Rated high severity (CVSS 8.8), this vulne

CVE-2022-3133 HIGH POC
7.8 Sep 09

OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0. Rated high severity (CVSS 7.8), this vulnerabil

CVE-2023-3398 HIGH POC
7.5 Jun 26

Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3. Rated high severity (CVSS 7.5), this vulnerability

CVE-2022-3065 HIGH POC
7.5 Sep 02

Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8. Rated high severity (CVSS 7.5), this vulnera

CVE-2022-1815 HIGH POC
7.5 May 25

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2. Rated hig

CVE-2022-1784 HIGH POC
7.5 May 20

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. Rated high severity (CVSS 7.5), t

CVE-2022-1767 HIGH POC
7.5 May 18

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7. Rated high severity (CVSS 7.5), t

CVE-2022-1711 HIGH POC
7.5 May 17

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5. Rated high severity (CVSS 7.5), t

CVE-2022-1723 HIGH POC
7.5 May 17

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6. Rated high severity (CVSS 7.5), t

CVE-2022-1721 HIGH POC
7.5 May 16

Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Rated high severity (CVSS 7.5), t

Share

CVE-2026-46642 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy