Cross-site scripting in draw.io - #VU135039

 

Cross-site scripting in draw.io - #VU135039

Published: June 23, 2026


Vulnerability identifier: #VU135039
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: JGraph
Affected software:
draw.io

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary JavaScript in the origin of the draw.io instance.

The vulnerability exists due to cross-site scripting in TextFormatPanel.addFont() in src/main/webapp/js/grapheditor/Format.js when opening or importing a crafted .drawio file and processing selected cells in the Format panel. A remote attacker can supply a crafted diagram file to execute arbitrary JavaScript in the origin of the draw.io instance.

User interaction is required to open or import the crafted file, and on the import path the selected cells are processed automatically. In embedded deployments, the script may execute in the host application's origin.


Remediation

Install security update from vendor's website.

Sources