CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

226 matches found

Drawio <18.1.2 - Server-Side Request Forgery

Drawio before 18.1.2 is susceptible to server-side request forgery via the /service endpoint in jgraph/drawio. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id: CVE-2022-1815 info: nam...

7.5CVSS6.5AI score0.05704EPSS

Exploits1References5

Nuclei•added yesterday•19 views

draw.io < 18.0.5 - Server Side Request Forgery (SSRF)

Server-Side Request Forgery SSRF vulnerability in draw.io also known as diagrams.net prior to version 18.0.5 allows attackers to bypass URL validation restrictions in the ProxyServlet component. The vulnerability exists because the application does not properly validate URLs passed to its proxy...

7.5CVSS7.1AI score0.05372EPSS

Exploits1References3

Nuclei•added yesterday•33 views

Drawio <18.0.4 - Server-Side Request Forgery

Drawio prior to 18.0.4 is vulnerable to server-side request forgery. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information. id: CVE-2022-1713 info: name: Drawio 18.0.4 - Server-Side Request Forgery author: pikpikcu severity: high...

7.5CVSS7.1AI score0.08667EPSS

Exploits1References4

CVE•added 2026/06/10 5:42 p.m.•25 views

CVE-2026-46642

CVE-2026-46642 affects draw.io prior to 29.7.12. A crafted .drawio file can execute arbitrary JavaScript in the editor’s origin when opened. The root cause is a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element’s innerHTML withou...

6.1CVSS5.9AI score0.00221EPSS

Exploits1References2Affected Software1

EUVD•added 2026/06/10 5:42 p.m.•9 views

EUVD-2026-36077

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer which works correctly on the rendering path but in...

6.1CVSS5.9AI score0.00221EPSS

Exploits1References2

Vulnrichment•added 2026/06/10 5:42 p.m.•8 views

CVE-2026-46642 draw.io: XSS via crafted cell label when opening a .drawio file

6.1CVSS5.9AI score0.00221EPSS

Exploits1References2

RedhatCVE•added 2026/06/05 7:26 p.m.•6 views

CVE-2026-40608

Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers /api/state, /api/restore, and /api/history-svg that process incoming requests by accumulating the entire request body into a...

6.2CVSS5.5AI score0.00146EPSS

Exploits1References1

CVE•added 2026/04/21 5:56 p.m.•18 views

CVE-2026-40608

CVE-2026-40608 affects Next AI Draw.io (a Next.js app). Before version 0.4.15, the embedded HTTP sidecar’s three POST handlers (/api/state, /api/restore, /api/history-svg) accumulate entire request bodies into a JavaScript string without size limits. Node.js buffers the full payload in the V8 hea...

6.2CVSS5.8AI score0.00146EPSS

Exploits1References2Affected Software1