Cross-site scripting in draw.io - #VU135039
Published: June 23, 2026
draw.io
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript in the origin of the draw.io instance.
The vulnerability exists due to cross-site scripting in TextFormatPanel.addFont() in src/main/webapp/js/grapheditor/Format.js when opening or importing a crafted .drawio file and processing selected cells in the Format panel. A remote attacker can supply a crafted diagram file to execute arbitrary JavaScript in the origin of the draw.io instance.
User interaction is required to open or import the crafted file, and on the import path the selected cells are processed automatically. In embedded deployments, the script may execute in the host application's origin.