Drawio
Monthly
Stored cross-site scripting in draw.io prior to version 29.7.12 allows arbitrary JavaScript execution in the editor's origin when a victim opens a crafted .drawio file. The flaw bypasses the existing label sanitizer entirely because it resides in a separate, unsanitized code path - the Text Format panel's feature-detection routine - which assigns raw cell label content directly to a detached DOM element's innerHTML. Exploitation is automatic upon file import since draw.io selects cells programmatically during that process, requiring no additional user interaction beyond opening the file. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Code Injection in GitHub repository jgraph/drawio prior to 19.0.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.
Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Stored cross-site scripting in draw.io prior to version 29.7.12 allows arbitrary JavaScript execution in the editor's origin when a victim opens a crafted .drawio file. The flaw bypasses the existing label sanitizer entirely because it resides in a separate, unsanitized code path - the Text Format panel's feature-detection routine - which assigns raw cell label content directly to a detached DOM element's innerHTML. Exploitation is automatic upon file import since draw.io selects cells programmatically during that process, requiring no additional user interaction beyond opening the file. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Code Injection in GitHub repository jgraph/drawio prior to 19.0.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available.
Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.