{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46642", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-15T20:11:54.584Z", "datePublished": "2026-06-10T17:42:02.156Z", "dateUpdated": "2026-06-11T14:03:34.537Z"}, "containers": {"cna": {"title": "draw.io: XSS via crafted cell label when opening a .drawio file", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf"}, {"name": "https://github.com/jgraph/drawio/releases/tag/v29.7.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/jgraph/drawio/releases/tag/v29.7.12"}], "affected": [{"vendor": "jgraph", "product": "drawio", "versions": [{"version": "< 29.7.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-10T17:42:02.156Z"}, "descriptions": [{"lang": "en", "value": "draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected \u2014 which import does automatically. This issue has been patched in version 29.7.12."}], "source": {"advisory": "GHSA-fqhg-287p-c6vf", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-11T14:02:47.367642Z", "id": "CVE-2026-46642", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-11T14:03:34.537Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46642", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-15T20:11:54.584Z", "datePublished": "2026-06-10T17:42:02.156Z", "dateUpdated": "2026-06-11T14:03:34.537Z"}, "containers": {"cna": {"title": "draw.io: XSS via crafted cell label when opening a .drawio file", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf"}, {"name": "https://github.com/jgraph/drawio/releases/tag/v29.7.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/jgraph/drawio/releases/tag/v29.7.12"}], "affected": [{"vendor": "jgraph", "product": "drawio", "versions": [{"version": "< 29.7.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-10T17:42:02.156Z"}, "descriptions": [{"lang": "en", "value": "draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected \u2014 which import does automatically. This issue has been patched in version 29.7.12."}], "source": {"advisory": "GHSA-fqhg-287p-c6vf", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-46642", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-11T14:02:47.367642Z"}}}], "references": [{"url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-11T14:03:04.044Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:diagrams:drawio:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C08CD9B-D519-4495-ABB6-5FCC7601CFB4", "versionEndExcluding": "29.7.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected \u2014 which import does automatically. This issue has been patched in version 29.7.12."}], "id": "CVE-2026-46642", "lastModified": "2026-06-16T13:54:58.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-06-10T18:17:06.007", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/jgraph/drawio/releases/tag/v29.7.12"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,29.7.12)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "drawio", "source": "cna", "vendor": "jgraph"}, "product": "drawio", "vendor": "jgraph"}], "created": "2026-06-10T19:30:36.812595+00:00", "updated": "2026-06-10T19:45:39.061262+00:00", "vendors": ["jgraph", "jgraph$PRODUCT$drawio"]}