CVE-2026-46642

MEDIUM 6.1

draw.io: XSS via crafted cell label when opening a .drawio file

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.

CWE	CWE-79
Vendor	jgraph
Product	drawio
Published	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for jgraph drawio

Be the first to know when new medium vulnerabilities affecting jgraph drawio are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

jgraph / drawio

< 29.7.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vf github.com: https://github.com/jgraph/drawio/releases/tag/v29.7.12