SB2026062313 - Cross-site scripting in draw.io



SB2026062313 - Cross-site scripting in draw.io

Published: June 23, 2026

Security Bulletin ID SB2026062313
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary JavaScript in the origin of the draw.io instance.

The vulnerability exists due to cross-site scripting in TextFormatPanel.addFont() in src/main/webapp/js/grapheditor/Format.js when opening or importing a crafted .drawio file and processing selected cells in the Format panel. A remote attacker can supply a crafted diagram file to execute arbitrary JavaScript in the origin of the draw.io instance.

User interaction is required to open or import the crafted file, and on the import path the selected cells are processed automatically. In embedded deployments, the script may execute in the host application's origin.


Remediation

Install update from vendor's website.