CVE-2026-0858 — Cross-site Scripting in Plantuml

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 96.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Plantuml Debian Plantuml

Timeline

PublishedJan 16

Description

Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages2 packages

▶NVDplantuml/plantuml< 1.2026.0

▶debiandebian/plantuml

Patches

Patch: github.com ↗Patch: security.snyk.io ↗

🔴Vulnerability Details

OSV

PlantUML is vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams↗2026-01-16

▶

GHSA

PlantUML is vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams↗2026-01-16

▶

OSV

CVE-2026-0858: Versions of the package net↗2026-01-16

▶

📋Vendor Advisories

Red Hat

plantuml: PlantUML: Arbitrary script execution via Stored Cross-Site Scripting in GraphViz diagrams↗2026-01-16

▶

Debian

CVE-2026-0858: plantuml - Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vu...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0858 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶