Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
127044.3%CRITICAL

Related CVEs

27
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2026-46642draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.MEDIUM6.112.6%Jun 10, 2026
CVE-2023-3975OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.CRITICAL9.877.6%Jul 27, 2023
CVE-2023-3974OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.CRITICAL9.860.6%Jul 27, 2023
CVE-2023-3973Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.MEDIUM6.126.5%Jul 27, 2023
CVE-2023-3398Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.HIGH7.5Jun 26, 2023
CVE-2023-3026Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.MEDIUM6.1Jun 1, 2023
CVE-2022-3873Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.MEDIUM6.1Nov 7, 2022
CVE-2022-3223Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1.MEDIUM6.1Sep 16, 2022
CVE-2022-3133OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.HIGH7.8Sep 9, 2022
CVE-2022-3148Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.MEDIUM6.1Sep 8, 2022
CVE-2022-3138Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.MEDIUM6.1Sep 8, 2022
CVE-2022-3127Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.MEDIUM5.4Sep 5, 2022
CVE-2022-3065Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.HIGH7.5Sep 2, 2022
CVE-2022-2015Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2.MEDIUM5.4Jun 9, 2022
CVE-2022-2014Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.MEDIUM5.4Jun 9, 2022
CVE-2022-1815Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.HIGH7.5May 25, 2022
CVE-2022-1784Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8.HIGH7.5May 20, 2022
CVE-2022-1730Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4.MEDIUM4.6May 19, 2022
CVE-2022-1774Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7.MEDIUM6.1May 18, 2022
CVE-2022-1767Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.HIGH7.5May 18, 2022