GHSA-hrvf-g648-rf3m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hrvf-g648-rf3m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-hrvf-g648-rf3m/GHSA-hrvf-g648-rf3m.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-hrvf-g648-rf3m
- Published
- 2026-01-16T06:30:15Z
- Modified
- 2026-01-16T20:51:10.131707Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P CVSS Calculator
- Summary
- PlantUML is vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams
- Details
-
Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-01-16T20:45:39Z", "severity": "LOW", "nvd_published_at": "2026-01-16T05:16:16Z", "cwe_ids": [ "CWE-79" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2026-0858
- https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd
- https://github.com/plantuml/plantuml
- https://github.com/plantuml/plantuml/releases/tag/v1.2026.0
- https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230
Affected packages
Maven / net.sourceforge.plantuml:plantuml
Package
- Name
- net.sourceforge.plantuml:plantuml
- View open source insights on deps.dev
- Purl
- pkg:maven/net.sourceforge.plantuml/plantuml
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.2026.0
Affected versions
1.*
1.2017.12
1.2017.13
1.2017.14
1.2017.15
1.2017.16
1.2017.18
1.2017.19
1.2017.20
1.2018.0
1.2018.1
1.2018.2
1.2018.3
1.2018.4
1.2018.5
1.2018.6
1.2018.7
1.2018.8
1.2018.9
1.2018.10
1.2018.11
1.2018.12
1.2018.13
1.2018.14
1.2019.0
1.2019.1
1.2019.2
1.2019.3
1.2019.4
1.2019.5
1.2019.6
1.2019.7
1.2019.8
1.2019.9
1.2019.10
1.2019.11
1.2019.12
1.2019.13
1.2020.0
1.2020.1
1.2020.2
1.2020.3
1.2020.4
1.2020.6
1.2020.7
1.2020.8
1.2020.9
1.2020.10
1.2020.11
1.2020.12
1.2020.13
1.2020.14
1.2020.15
1.2020.16
1.2020.17
1.2020.18
1.2020.19
1.2020.20
1.2020.21
1.2020.22
1.2020.23
1.2020.24
1.2020.25
1.2020.26
1.2021.0
1.2021.1
1.2021.2
1.2021.3
1.2021.4
1.2021.5
1.2021.6
1.2021.7
1.2021.8
1.2021.9
1.2021.10
1.2021.12
1.2021.13
1.2021.14
1.2021.15
1.2021.16
1.2022.0
1.2022.1
1.2022.2
1.2022.3
1.2022.4
1.2022.5
1.2022.6
1.2022.7
1.2022.8
1.2022.12
1.2022.13
1.2022.14
1.2023.0
1.2023.1
1.2023.2
1.2023.4
1.2023.5
1.2023.6
1.2023.7
1.2023.8
1.2023.9
1.2023.10
1.2023.11
1.2023.12
1.2023.13
1.2024.1
1.2024.2
1.2024.3
1.2024.4
1.2024.5
1.2024.6
1.2024.7
1.2024.8
1.2025.0
1.2025.2
1.2025.3
1.2025.4
1.2025.7
1.2025.8
1.2025.9
1.2025.10