CVE-2026-46642EPSS p8.6%

CVE-2026-46642CVE-2026-46642

diagrams / drawio

Description

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.

Scoring

CVSS 6.1 ()
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS0.19% probability of exploitation · percentile 8.6% · 2026-06-19T12:03:05Z
Last modified2026-06-16

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-39436
CVE
CVE-2026-50733
CVE
CVE-2026-35643
CVE
CVE-2026-45644
CVE
CVE-2026-49492
CVE
CVE-2026-11688
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.