Vendor Products CVEs KEV Avg EPSS Worst Severity 1 27 0 44.3% CRITICAL
CVE ID Description Severity CVSS KEV EPSS Published CVE-2026-46642 draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12. MEDIUM 6.1 — 12.6% Jun 10, 2026 CVE-2023-3975 OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0. CRITICAL 9.8 — 77.6% Jul 27, 2023 CVE-2023-3974 OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0. CRITICAL 9.8 — 60.6% Jul 27, 2023 CVE-2023-3973 Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3. MEDIUM 6.1 — 26.5% Jul 27, 2023 CVE-2023-3398 Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3. HIGH 7.5 — — Jun 26, 2023 CVE-2023-3026 Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8. MEDIUM 6.1 — — Jun 1, 2023 CVE-2022-3873 Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2. MEDIUM 6.1 — — Nov 7, 2022 CVE-2022-3223 Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1. MEDIUM 6.1 — — Sep 16, 2022 CVE-2022-3133 OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0. HIGH 7.8 — — Sep 9, 2022 CVE-2022-3148 Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. MEDIUM 6.1 — — Sep 8, 2022 CVE-2022-3138 Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. MEDIUM 6.1 — — Sep 8, 2022 CVE-2022-3127 Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8. MEDIUM 5.4 — — Sep 5, 2022 CVE-2022-3065 Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8. HIGH 7.5 — — Sep 2, 2022 CVE-2022-2015 Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2. MEDIUM 5.4 — — Jun 9, 2022 CVE-2022-2014 Code Injection in GitHub repository jgraph/drawio prior to 19.0.2. MEDIUM 5.4 — — Jun 9, 2022 CVE-2022-1815 Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2. HIGH 7.5 — — May 25, 2022 CVE-2022-1784 Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. HIGH 7.5 — — May 20, 2022 CVE-2022-1730 Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4. MEDIUM 4.6 — — May 19, 2022 CVE-2022-1774 Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7. MEDIUM 6.1 — — May 18, 2022 CVE-2022-1767 Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7. HIGH 7.5 — — May 18, 2022
Show all 27 CVEs