CVE-2026-46642

Source
https://cve.org/CVERecord?id=CVE-2026-46642
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46642.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-46642
Aliases
  • GHSA-fqhg-287p-c6vf
Published
2026-06-10T17:42:02.156Z
Modified
2026-07-08T08:05:18.086175020Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
draw.io: XSS via crafted cell label when opening a .drawio file
Details

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46642.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/jgraph/drawio

Affected ranges

Type
GIT
Repo
https://github.com/jgraph/drawio
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:diagrams:drawio:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "29.7.12"
        }
    ]
}

Affected versions

v24.*
v24.8.9
v25.*
v25.0.0
v25.0.1
v25.0.2
v26.*
v26.0.0
v26.0.13
v26.0.15
v26.0.16
v26.0.2
v26.0.3
v26.0.4
v26.0.6
v26.0.7
v26.0.9
v26.1.0
v26.1.1
v26.2.15
v26.2.2
v26.2.7
v26.2.8
v27.*
v27.0.2
v27.0.5
v27.0.9
v27.1.6
v28.*
v28.0.1
v28.0.3
v28.0.4
v28.0.5
v28.0.6
v28.0.7
v28.0.9
v28.1.1
v28.1.2
v28.2.0
v28.2.3
v28.2.5
v28.2.7
v28.2.8
v28.2.9
v29.*
v29.0.2
v29.0.3
v29.2.2
v29.2.6
v29.2.7
v29.2.9
v29.3.0
v29.3.2
v29.3.5
v29.3.6
v29.5.1
v29.5.2
v29.6.1
v29.6.10
v29.6.3
v29.6.4
v29.6.5
v29.6.6
v29.6.7
v29.7.11
v29.7.8
v29.7.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46642.json"