{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0858", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2026-01-12T09:57:41.760Z", "datePublished": "2026-01-16T05:00:06.808Z", "dateUpdated": "2026-01-16T14:10:00.485Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P"}, "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P"}}], "credits": [{"value": "Catalin Iovita (Snyk Security Research)", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Stored XSS", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-01-16T05:00:06.808Z"}, "descriptions": [{"value": "Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230"}, {"url": "https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd"}, {"url": "https://github.com/plantuml/plantuml/releases/tag/v1.2026.0"}], "affected": [{"product": "net.sourceforge.plantuml:plantuml", "versions": [{"version": "0", "lessThan": "1.2026.0", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T14:09:52.779738Z", "id": "CVE-2026-0858", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:10:00.485Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0858", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T14:09:52.779738Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:09:56.891Z"}}], "cna": {"credits": [{"lang": "en", "value": "Catalin Iovita (Snyk Security Research)"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "LOW"}, "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "net.sourceforge.plantuml:plantuml", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2026.0", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230"}, {"url": "https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd"}, {"url": "https://github.com/plantuml/plantuml/releases/tag/v1.2026.0"}], "descriptions": [{"lang": "en", "value": "Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "Stored XSS"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-01-16T05:00:06.808Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0858", "state": "PUBLISHED", "dateUpdated": "2026-01-16T14:10:00.485Z", "dateReserved": "2026-01-12T09:57:41.760Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2026-01-16T05:00:06.808Z", "assignerShortName": "snyk"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG."}], "id": "CVE-2026-0858", "lastModified": "2026-01-16T05:16:16.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "report@snyk.io", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2026-01-16T05:16:16.117", "references": [{"source": "report@snyk.io", "url": "https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd"}, {"source": "report@snyk.io", "url": "https://github.com/plantuml/plantuml/releases/tag/v1.2026.0"}, {"source": "report@snyk.io", "url": "https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "report@snyk.io", "type": "Secondary"}]}

{"bugzilla": {"description": "plantuml: PlantUML: Arbitrary script execution via Stored Cross-Site Scripting in GraphViz diagrams", "id": "2430303", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430303"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "details": ["A flaw was found in PlantUML. This vulnerability, known as Stored Cross-Site Scripting (XSS), occurs due to insufficient sanitization of interactive attributes within GraphViz diagrams. A remote attacker can exploit this by crafting a malicious PlantUML diagram, which then injects harmful JavaScript into the generated Scalable Vector Graphics (SVG) output. This can lead to arbitrary script execution within applications that render the affected SVG."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, avoid processing or rendering PlantUML diagrams from untrusted sources. If processing untrusted diagrams is unavoidable, ensure that the environment where the SVG output is rendered is adequately sandboxed to limit the impact of potential script execution. This operational control helps reduce exposure to the Stored XSS flaw."}, "name": "CVE-2026-0858", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/grafana-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-cni-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-must-gather-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-operator-bundle", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-rhel8-operator", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/pilot-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/proxyv2-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/ratelimit-rhel8", "product_name": "OpenShift Service Mesh 2"}], "public_date": "2026-01-16T05:00:06Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0858\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0858\nhttps://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd\nhttps://github.com/plantuml/plantuml/releases/tag/v1.2026.0\nhttps://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230"], "statement": "This vulnerability is rated Moderate for Red Hat. It affects PlantUML versions prior to 1.2026.0, allowing Stored Cross-Site Scripting (XSS) through crafted GraphViz diagrams. When a malicious PlantUML diagram is processed, it can inject arbitrary JavaScript into the generated SVG output, which then executes in the context of applications rendering the SVG. Exploitation requires user interaction with a crafted diagram.", "threat_severity": "Moderate"}

{"created": "2026-01-16T13:41:45.494029+00:00", "updated": "2026-01-16T13:41:45.494055+00:00", "vendors": ["plantuml", "plantuml$PRODUCT$plantuml"]}