DEBIAN-CVE-2026-0858

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-0858

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-0858.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-0858

Upstream

CVE-2026-0858

Published

2026-01-16T05:16:16.117Z

Modified

2026-01-17T05:04:03.685699Z

Severity

2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.

References

https://security-tracker.debian.org/tracker/CVE-2026-0858

Affected packages

Debian:11 / plantuml

Package

Name: plantuml
Purl: pkg:deb/debian/plantuml?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.2020.2+ds-1

1:1.2020.2+ds-2

1:1.2020.2+ds-3

1:1.2020.2+ds-4

1:1.2020.2+ds-5

1:1.2020.2+ds-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-0858.json"

Debian:12 / plantuml

Package

Name: plantuml
Purl: pkg:deb/debian/plantuml?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.2020.2+ds-3

1:1.2020.2+ds-4

1:1.2020.2+ds-5

1:1.2020.2+ds-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-0858.json"

Debian:13 / plantuml

Package

Name: plantuml
Purl: pkg:deb/debian/plantuml?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.2020.2+ds-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-0858.json"

Debian:14 / plantuml

Package

Name: plantuml
Purl: pkg:deb/debian/plantuml?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:1.*

1:1.2020.2+ds-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-0858.json"