CVE-2026-42140
Server-Side Request Forgery (SSRF) in PlantUML Macro via 'server' parameter
CVSS Score
4.4
EPSS Score
0.0%
EPSS Percentile
0th
PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram. This issue has been patched in version 2.4.1.
| CWE | CWE-918 |
| Vendor | xwiki-contrib |
| Product | macro-plantuml |
| Published | May 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for xwiki-contrib macro-plantuml
Be the first to know when new medium vulnerabilities affecting xwiki-contrib macro-plantuml are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
xwiki-contrib / macro-plantuml
< 2.4.1