CVE-2026-46642

CVE-2026-46642 affects draw.io prior to 29.7.12. A crafted .drawio file can execute arbitrary JavaScript in the editor’s origin when opened. The root cause is a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element’s innerHTML withou...

EUVD-2026-36077

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer which works correctly on the rendering path but in...

Linux Distros Unpatched Vulnerability : CVE-2022-3873

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Cross-site Scripting XSS - DOM in GitHub repository jgraph/drawio prior to 20.5.2. CVE-2022-3873 Note that Nessus relies on the presence of the package as...

The vulnerability of the drawio diagram-building software lies in the improper neutralization of special elements used in the OS command. This allows a hacker to execute arbitrary commands.

The vulnerability of the software for creating Drawio diagrams is related to the improper neutralization of special elements used in the OS command. Exploiting this vulnerability allows a malicious actor to execute arbitrary commands remotely...

CVE-2022-2015

Cross-site Scripting XSS - Stored in GitHub repository jgraph/drawio prior to 19.0.2...

CVE-2022-1784

Server-Side Request Forgery SSRF in GitHub repository jgraph/drawio prior to 18.0.8...

CVE-2022-1774

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7...

CVE-2022-1723

Server-Side Request Forgery SSRF in GitHub repository jgraph/drawio prior to 18.0.6...

CVE-2022-1721

Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application...