Medium severity6.1NVD Advisory· Published Jan 16, 2026· Updated Apr 29, 2026
CVE-2026-0858
CVE-2026-0858
Description
Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.sourceforge.plantuml:plantumlMaven | < 1.2026.0 | 1.2026.0 |
Affected products
1Patches
16826315db092🔒 remove SVG export for PSystemDot
1 file changed · +6 −38
src/main/java/net/sourceforge/plantuml/directdot/PSystemDot.java+6 −38 modified@@ -37,11 +37,10 @@ import java.io.IOException; import java.io.OutputStream; import java.util.Arrays; -import java.util.regex.Matcher; -import java.util.regex.Pattern; import net.atmp.ImageBuilder; import net.sourceforge.plantuml.AbstractPSystem; +import net.sourceforge.plantuml.FileFormat; import net.sourceforge.plantuml.FileFormatOption; import net.sourceforge.plantuml.FileImageData; import net.sourceforge.plantuml.StringUtils; @@ -74,7 +73,11 @@ public DiagramDescription getDescription() { @Override final protected ImageData exportDiagramNow(OutputStream os, int num, FileFormatOption fileFormat) throws IOException { - final Graphviz graphviz = GraphvizRuntimeEnvironment.getInstance().createForSystemDot(null, filter(data), + + if (fileFormat.getFileFormat() == FileFormat.SVG) + return ImageDataSimple.ok(); + + final Graphviz graphviz = GraphvizRuntimeEnvironment.getInstance().createForSystemDot(null, data, StringUtils.goLowerCase(fileFormat.getFileFormat().name())); if (graphviz.getExeState() != ExeState.OK) { final TextBlock result = GraphicStrings @@ -95,39 +98,4 @@ final protected ImageData exportDiagramNow(OutputStream os, int num, FileFormatO return ImageDataSimple.ok(); } - private String filter(String data) { - data = data.replaceAll("(?i)\\bjavascript:", "js:"); - - data = data.replaceAll("(?i)<\\s*/?\\s*script[^>]*>", ""); - - data = sanitizeDotAttribute(data, "fontname"); - data = sanitizeDotAttribute(data, "label"); - data = sanitizeDotAttribute(data, "xlabel"); - data = sanitizeDotAttribute(data, "URL"); - data = sanitizeDotAttribute(data, "href"); - data = sanitizeDotAttribute(data, "tooltip"); - - return data; - } - - private String sanitizeDotAttribute(String dot, String attrName) { - final Pattern p = Pattern.compile("(?i)(" + attrName + ")\\s*=\\s*\"([^\"]*)\""); - final Matcher m = p.matcher(dot); - final StringBuffer sb = new StringBuffer(); - while (m.find()) { - final String originalValue = m.group(2); - final String safeValue = sanitizeAttributeValue(originalValue); - m.appendReplacement(sb, m.group(1) + "=\"" + safeValue + "\""); - } - m.appendTail(sb); - return sb.toString(); - } - - private String sanitizeAttributeValue(String value) { - value = value.replace("<", "").replace(">", ""); - value = value.replace("\"", "").replace("'", ""); - value = value.replaceAll("(?i)on[a-z]+\\s*=", ""); - - return value; - } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bdnvdPatchWEB
- github.com/advisories/GHSA-hrvf-g648-rf3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-0858ghsaADVISORY
- security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230nvdVendor AdvisoryPatchWEB
- github.com/plantuml/plantuml/releases/tag/v1.2026.0nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.