CVE-2026-0858
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2026-0858
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0858.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-0858
- Aliases
- Downstream
- Published
- 2026-01-16T05:16:16.117Z
- Modified
- 2026-01-18T03:46:29.427243Z
- Severity
-
- 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- [none]
- Details
-
Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.
- References
Affected packages
Git / github.com/plantuml/plantuml
Affected ranges
- Type
- GIT
- Repo
- https://github.com/plantuml/plantuml
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
v1.*
v1.2017.12
v1.2017.13
v1.2017.14
v1.2017.15
v1.2017.17
v1.2017.18
v1.2017.19
v1.2017.20
v1.2018.0
v1.2018.1
v1.2018.10
v1.2018.11
v1.2018.12
v1.2018.13
v1.2018.14
v1.2018.2
v1.2018.3
v1.2018.4
v1.2018.5
v1.2018.6
v1.2018.7
v1.2018.8
v1.2018.9
v1.2019.0
v1.2019.1
v1.2019.10
v1.2019.11
v1.2019.12
v1.2019.13
v1.2019.2
v1.2019.4
v1.2019.5
v1.2019.6
v1.2019.7
v1.2019.8
v1.2019.9
v1.2020.0
v1.2020.1
v1.2020.10
v1.2020.11
v1.2020.12
v1.2020.13
v1.2020.14
v1.2020.15
v1.2020.16
v1.2020.17
v1.2020.18
v1.2020.19
v1.2020.2
v1.2020.20
v1.2020.21
v1.2020.22
v1.2020.23
v1.2020.24
v1.2020.26
v1.2020.3
v1.2020.4
v1.2020.6
v1.2020.7
v1.2020.8
v1.2020.9
v1.2021.0
v1.2021.1
v1.2021.10
v1.2021.12
v1.2021.13
v1.2021.14
v1.2021.15
v1.2021.16
v1.2021.2
v1.2021.3
v1.2021.4
v1.2021.5
v1.2021.6
v1.2021.7
v1.2021.8
v1.2021.9
v1.2022.0
v1.2022.1
v1.2022.10
v1.2022.11
v1.2022.12
v1.2022.13
v1.2022.14
v1.2022.2
v1.2022.3
v1.2022.4
v1.2022.5
v1.2022.6
v1.2022.7
v1.2022.8
v1.2022.9
v1.2023.0
v1.2023.1
v1.2023.10
v1.2023.11
v1.2023.12
v1.2023.13
v1.2023.2
v1.2023.3
v1.2023.4
v1.2023.5
v1.2023.6
v1.2023.7
v1.2023.8
v1.2023.9
v1.2024.0
v1.2024.1
v1.2024.2
v1.2024.3
v1.2024.4
v1.2024.5
v1.2024.6
v1.2024.7
v1.2024.7-native
v1.2024.8
v1.2024.8-native
v1.2025.0
v1.2025.0-native
v1.2025.1
v1.2025.1-native
v1.2025.10
v1.2025.2
v1.2025.2-native
v1.2025.3
v1.2025.3-native
v1.2025.4
v1.2025.4-native
v1.2025.6
v1.2025.7
v1.2025.8
v1.2025.9
v2017.*
v2017.08
v2017.09
v2017.11
Other
v8059
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2026-0858-20e45736",
"digest": {
"length": 46.0,
"function_hash": "104421566421985020010212428291263797240"
},
"source": "https://github.com/plantuml/plantuml/commit/9c7f725c01a70554c065de6d2da0b05866f2ff4c",
"target": {
"file": "src/main/java/net/sourceforge/plantuml/version/Version.java",
"function": "compileTime"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2026-0858-4a7f2cc6",
"digest": {
"length": 234.0,
"function_hash": "264586635642912746385134626173291482185"
},
"source": "https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd",
"target": {
"file": "src/main/java/net/sourceforge/plantuml/directdot/PSystemDot.java",
"function": "sanitizeAttributeValue"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2026-0858-5621f241",
"digest": {
"line_hashes": [
"211464275529654585019739251421998226451",
"208482669380600443664413060468993050889",
"51592032468413676610010203001296472312",
"1818309516474414807958584313729198258",
"254325972594038266638308049192970285325",
"122099110245836267885004485115240152696",
"50633392045767595112283333230406831104",
"31386792775580810439854486092166469921"
],
"threshold": 0.9
},
"source": "https://github.com/plantuml/plantuml/commit/9c7f725c01a70554c065de6d2da0b05866f2ff4c",
"target": {
"file": "src/main/java/net/sourceforge/plantuml/version/Version.java"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2026-0858-d8b5d3f5",
"digest": {
"length": 412.0,
"function_hash": "146743707804990621472903184659698988267"
},
"source": "https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd",
"target": {
"file": "src/main/java/net/sourceforge/plantuml/directdot/PSystemDot.java",
"function": "filter"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2026-0858-e0973c68",
"digest": {
"length": 444.0,
"function_hash": "41857014355247866035838639637465745591"
},
"source": "https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd",
"target": {
"file": "src/main/java/net/sourceforge/plantuml/directdot/PSystemDot.java",
"function": "sanitizeDotAttribute"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Function",
"id": "CVE-2026-0858-e12d4fa6",
"digest": {
"length": 1005.0,
"function_hash": "224511582811694103119875177260613127232"
},
"source": "https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd",
"target": {
"file": "src/main/java/net/sourceforge/plantuml/directdot/PSystemDot.java",
"function": "exportDiagramNow"
},
"deprecated": false
},
{
"signature_version": "v1",
"signature_type": "Line",
"id": "CVE-2026-0858-fd4c7c1c",
"digest": {
"line_hashes": [
"85619938281112135600417466737037754441",
"65552370516483528970138582974803386700",
"115418861197460346212242725956063251959",
"294286804589131688583876030167410615477",
"28237598134338560592947605534752141819",
"194834575093173099755333311667458661697",
"222640788258183302487931709981595016885",
"44630963856817843088344531954430721327",
"216843458255367434515067650971213652322",
"242943962495842197105131418879019076014",
"113324932330932497370693516094874070774",
"299712491152841663460621290176024496685",
"180598420826152925717408937360031012281",
"42440947576531808592095076975492069021",
"1853030003733270322000658363654863551",
"288110501423169416479364596589252682605",
"40316209491634948758851787863919211638",
"307686995355885837148026057270681602942",
"260231332361409281920183990263212672809",
"122730264848534141689020615695946918517",
"62302300902584809895362595565397706417",
"117277651448491141804248983510079228937",
"164114635404914425845121709411374480809",
"271904927196704389649677607539025244808",
"176114617807513959323382848222581575864",
"64522887597019299011374908339380873573",
"220060199314708874236587394753748118744",
"94153370551471197666211433120700949050",
"14363571822209886287001186592677280176",
"221059864344125366281283284466864806265",
"101865776537769075699710995828037604079",
"207036670795555668271348700572179952610",
"73706779321261614550104930522916882079",
"334029437100021274535961959699936827206",
"85435284916871271510776595133971953918",
"214181474584928973630512194713634325294",
"14626629725433469571665142270087752352",
"72319363259535236448267550568910393034",
"158494699224542208517371264163355838629",
"38827617721525893583546585295502142582",
"2719097449535101149333459911709379171"
],
"threshold": 0.9
},
"source": "https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd",
"target": {
"file": "src/main/java/net/sourceforge/plantuml/directdot/PSystemDot.java"
},
"deprecated": false
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-0858.json"