Description
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.
Published: 2026-06-10
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 29.7.12, a specially crafted .drawio file can cause the editor to execute arbitrary JavaScript when the file is opened. The vulnerability lies not in the normal label sanitizer but in a feature‑detection routine in the Text Format panel that assigns an unchecked cell label to a detached element’s innerHTML. Because browsers trigger onerror handlers even on detached elements, an <img src=x onerror=…> payload inside any cell label initiates script execution as soon as the cell is selected, which importing does automatically.

Affected Systems

The affected product is jgraph:drawio. All versions earlier than 29.7.12 are impacted, including 29.7.11 and any prior release.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity vulnerability. With no EPSS score available, the exploitation probability is unclear, but the issue is not listed in the CISA KEV catalog, suggesting limited operational impact. The likely attack vector is a local or remote user who can supply a malicious .drawio file for import into the editor.

Generated by OpenCVE AI on June 10, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to draw.io version 29.7.12 or later.
  • Enforce a strict content security policy that disables inline script execution for the editor domain.
  • Restrict file import capabilities to trusted users and validate incoming files for script tags before rendering.

Generated by OpenCVE AI on June 10, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Jgraph
Jgraph drawio
Vendors & Products Jgraph
Jgraph drawio

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.
Title draw.io: XSS via crafted cell label when opening a .drawio file
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Jgraph Drawio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T17:42:02.156Z

Reserved: 2026-05-15T20:11:54.584Z

Link: CVE-2026-46642

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T18:17:06.007

Modified: 2026-06-10T20:58:14.500

Link: CVE-2026-46642

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:45:39Z

Weaknesses