Medium severity6.1NVD Advisory· Published Jan 16, 2026· Updated Apr 29, 2026
CVE-2026-0858
CVE-2026-0858
Description
Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net.sourceforge.plantuml:plantumlMaven | < 1.2026.0 | 1.2026.0 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bdnvdPatchWEB
- github.com/advisories/GHSA-hrvf-g648-rf3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-0858ghsaADVISORY
- security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230nvdVendor AdvisoryPatchWEB
- github.com/plantuml/plantuml/releases/tag/v1.2026.0nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.