Description
PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram. This issue has been patched in version 2.4.1.
Published: 2026-05-04
Score: 4.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PlantUML Macro on XWiki renders UML diagrams by contacting an external PlantUML server. The 'server' parameter is accepted without validation, allowing an attacker to supply a URL that resolves to an internal IP or a malicious endpoint. When the XWiki server attempts to contact this address it can reach otherwise inaccessible resources or execute network‑based attacks. This flaw is classified as CWE‑918 and enables the attacker to exploit internal services or exfiltrate data, thereby affecting confidentiality and integrity of the system.

Affected Systems

The vulnerability exists in the xwiki‑contrib macro‑plantuml component used within XWiki. All releases prior to version 2.4.1 are affected. No further version details are provided by the CNA, so any deployment of macro‑plantuml older than 2.4.1 is susceptible.

Risk and Exploitability

The CVSS score of 4.4 indicates a moderate severity. Exploitation requires only that an attacker supply a malicious macro in a page or through the API; privileged access is not needed. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, suggesting lower current exploitation probability. Nevertheless, the attacker could pivot to internal resources or use the connection to reach external networks, a capability that is valuable for advanced threat actors. The likely attack vector is user‑provided macro content, as inferred from the description.

Generated by OpenCVE AI on May 4, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading the macro-plantuml component to version 2.4.1 or later.
  • Configure XWiki’s outbound network policies to restrict or block the PlantUML macro from contacting arbitrary IP addresses or untrusted external domains.
  • If patching is not immediately possible, disable the PlantUML macro or restrict the 'server' parameter so that only trusted hostnames are permitted.

Generated by OpenCVE AI on May 4, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki-contrib
Xwiki-contrib macro-plantuml
Vendors & Products Xwiki-contrib
Xwiki-contrib macro-plantuml

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram. This issue has been patched in version 2.4.1.
Title Server-Side Request Forgery (SSRF) in PlantUML Macro via 'server' parameter
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Xwiki-contrib Macro-plantuml
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T19:52:14.187Z

Reserved: 2026-04-24T17:15:21.834Z

Link: CVE-2026-42140

cve-icon Vulnrichment

Updated: 2026-05-04T19:52:05.603Z

cve-icon NVD

Status : Received

Published: 2026-05-04T18:16:31.677

Modified: 2026-05-04T18:16:31.677

Link: CVE-2026-42140

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:43:48Z

Weaknesses