VYPR
Medium severity6.1OSV Advisory· Published Apr 17, 2024· Updated Apr 15, 2026

CVE-2024-32472

CVE-2024-32472

Description

excalidraw is an open source virtual hand-drawn style whiteboard. A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. There were two vectors. One rendering untrusted string as iframe's srcdoc without properly sanitizing against HTML injection. Second by improperly sanitizing against attribute HTML injection. This in conjunction with allowing allow-same-origin sandbox flag (necessary for several embeds) resulted in the XSS. This vulnerability is fixed in 0.17.6 and 0.16.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@excalidraw/excalidrawnpm
>= 0.16.0, < 0.16.40.16.4
@excalidraw/excalidrawnpm
>= 0.17.0, < 0.17.60.17.6

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

1