SB2026062313 - Cross-site scripting in draw.io
Published: June 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary JavaScript in the origin of the draw.io instance.
The vulnerability exists due to cross-site scripting in TextFormatPanel.addFont() in src/main/webapp/js/grapheditor/Format.js when opening or importing a crafted .drawio file and processing selected cells in the Format panel. A remote attacker can supply a crafted diagram file to execute arbitrary JavaScript in the origin of the draw.io instance.
User interaction is required to open or import the crafted file, and on the import path the selected cells are processed automatically. In embedded deployments, the script may execute in the host application's origin.
Remediation
Install update from vendor's website.