Medium severity6.1OSV Advisory· Published Apr 17, 2024· Updated Apr 15, 2026
CVE-2024-32472
CVE-2024-32472
Description
excalidraw is an open source virtual hand-drawn style whiteboard. A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. There were two vectors. One rendering untrusted string as iframe's srcdoc without properly sanitizing against HTML injection. Second by improperly sanitizing against attribute HTML injection. This in conjunction with allowing allow-same-origin sandbox flag (necessary for several embeds) resulted in the XSS. This vulnerability is fixed in 0.17.6 and 0.16.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@excalidraw/excalidrawnpm | >= 0.16.0, < 0.16.4 | 0.16.4 |
@excalidraw/excalidrawnpm | >= 0.17.0, < 0.17.6 | 0.17.6 |
Affected products
2- Range: v0.10.0, v0.11.0, v0.12.0, …
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-m64q-4jqh-f72fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32472ghsaADVISORY
- github.com/excalidraw/excalidraw/commit/6be752e1b6d776ccfbd3bb9eea17463cb264121dnvdWEB
- github.com/excalidraw/excalidraw/commit/988f81911ca58e3ca2583e0dd44a954dd00e09d0nvdWEB
- github.com/excalidraw/excalidraw/security/advisories/GHSA-m64q-4jqh-f72fnvdWEB
News mentions
1- Top 10 web hacking techniques of 2024: nominations openPortSwigger Research · Jan 8, 2025