CVE-2026-0858

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-0858

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0858.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-0858

Aliases

GHSA-hrvf-g648-rf3m

Downstream

DEBIAN-CVE-2026-0858

UBUNTU-CVE-2026-0858

Published

2026-01-16T05:16:16.117Z

Modified

2026-04-10T05:36:54.599524Z

Severity

2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.

References

Affected packages

Git / github.com/plantuml/plantuml

Affected ranges

Type

GIT

Repo

https://github.com/plantuml/plantuml

Events

Introduced

Fixed

9c7f725c01a70554c065de6d2da0b05866f2ff4c

Fixed

6826315db092d2e432aeab1a0894e08017c6e4bd

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.2026.0"
        }
    ]
}

Affected versions

v1.*

v1.2017.12

v1.2017.13

v1.2017.14

v1.2017.15

v1.2017.17

v1.2017.18

v1.2017.19

v1.2017.20

v1.2018.0

v1.2018.1

v1.2018.10

v1.2018.11

v1.2018.12

v1.2018.13

v1.2018.14

v1.2018.2

v1.2018.3

v1.2018.4

v1.2018.5

v1.2018.6

v1.2018.7

v1.2018.8

v1.2018.9

v1.2019.0

v1.2019.1

v1.2019.10

v1.2019.11

v1.2019.12

v1.2019.13

v1.2019.2

v1.2019.4

v1.2019.5

v1.2019.6

v1.2019.7

v1.2019.8

v1.2019.9

v1.2020.0

v1.2020.1

v1.2020.10

v1.2020.11

v1.2020.12

v1.2020.13

v1.2020.14

v1.2020.15

v1.2020.16

v1.2020.17

v1.2020.18

v1.2020.19

v1.2020.2

v1.2020.20

v1.2020.21

v1.2020.22

v1.2020.23

v1.2020.24

v1.2020.26

v1.2020.3

v1.2020.4

v1.2020.6

v1.2020.7

v1.2020.8

v1.2020.9

v1.2021.0

v1.2021.1

v1.2021.10

v1.2021.12

v1.2021.13

v1.2021.14

v1.2021.15

v1.2021.16

v1.2021.2

v1.2021.3

v1.2021.4

v1.2021.5

v1.2021.6

v1.2021.7

v1.2021.8

v1.2021.9

v1.2022.0

v1.2022.1

v1.2022.10

v1.2022.11

v1.2022.12

v1.2022.13

v1.2022.14

v1.2022.2

v1.2022.3

v1.2022.4

v1.2022.5

v1.2022.6

v1.2022.7

v1.2022.8

v1.2022.9

v1.2023.0

v1.2023.1

v1.2023.10

v1.2023.11

v1.2023.12

v1.2023.13

v1.2023.2

v1.2023.3

v1.2023.4

v1.2023.5

v1.2023.6

v1.2023.7

v1.2023.8

v1.2023.9

v1.2024.0

v1.2024.1

v1.2024.2

v1.2024.3

v1.2024.4

v1.2024.5

v1.2024.6

v1.2024.7

v1.2024.7-native

v1.2024.8

v1.2024.8-native

v1.2025.0

v1.2025.0-native

v1.2025.1

v1.2025.1-native

v1.2025.10

v1.2025.2

v1.2025.2-native

v1.2025.3

v1.2025.3-native

v1.2025.4

v1.2025.4-native

v1.2025.6

v1.2025.7

v1.2025.8

v1.2025.9

v2017.*

v2017.08

v2017.09

v2017.11

Other

v8059

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0858.json"