CVE Catalog

CVE-2026-46642

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

The draw.io application prior to version 29.7.12 contains a vulnerability that allows arbitrary JavaScript execution through a crafted .drawio file. The issue lies in the Text Format panel where the raw cell label is assigned to an element without proper sanitization.

Risk Assessment

Exploitation of this vulnerability could lead to malicious code execution in the user's context, posing a serious threat to the organization's data and system security.

Recommendation

It is recommended to update the draw.io application to version 29.7.12 or later to mitigate this vulnerability.

Original NVD description (English source)

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS