VYPR
Get started
← All advisories
Medium severity4.4NVD Advisory· Published May 4, 2026· Updated May 7, 2026

CVE-2026-42140

CVE-2026-42140

Description

PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram. This issue has been patched in version 2.4.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.contrib.plantuml:macro-plantuml-macroMaven
< 2.4.12.4.1

Affected products

1

Patches

1
c8b19bda9305

PLANTUML-25: Add a check for known domains

https://github.com/xwiki-contrib/macro-plantumlVincent MassolDec 18, 2025via ghsa
commit
7 files changed · +76 6
  • macro-plantuml-macro/pom.xml+17 0 modified
    @@ -81,6 +81,11 @@
       <artifactId>xwiki-platform-resource-temporary</artifactId>
       <version>${platform.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-url-api</artifactId>
+      <version>${platform.version}</version>
+    </dependency>
     <!-- Test Dependencies -->
     <dependency>
       <groupId>org.xwiki.rendering</groupId>
@@ -100,6 +105,18 @@
       <version>${rendering.version}</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-url-container</artifactId>
+      <version>${platform.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-url-default</artifactId>
+      <version>${platform.version}</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>javax.servlet</groupId>
       <artifactId>javax.servlet-api</artifactId>
  • macro-plantuml-macro/src/main/java/org/xwiki/contrib/plantuml/internal/PlantUMLMacro.java+22 1 modified
    @@ -19,6 +19,8 @@
  */
 package org.xwiki.contrib.plantuml.internal;
 
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -46,6 +48,7 @@
 import org.xwiki.rendering.macro.MacroExecutionException;
 import org.xwiki.rendering.macro.descriptor.DefaultContentDescriptor;
 import org.xwiki.rendering.transformation.MacroTransformationContext;
+import org.xwiki.url.URLSecurityManager;
 
 /**
  * Asynchronous macro that generates an image from a textual description, using PlantUML.
@@ -90,6 +93,9 @@ public class PlantUMLMacro extends AbstractMacro<PlantUMLMacroParameters>
     @Inject
     private Logger logger;
 
+    @Inject
+    private URLSecurityManager urlSecurityManager;
+
     /**
      * Create and initialize the descriptor of the macro.
      */
@@ -153,12 +159,27 @@ List<Block> executeSync(String content, PlantUMLMacroParameters parameters, bool
         return Arrays.asList(resultBlock);
     }
 
-    private String computeServer(PlantUMLMacroParameters parameters)
+    private String computeServer(PlantUMLMacroParameters parameters) throws MacroExecutionException
     {
         String serverURL = parameters.getServer();
         if (serverURL == null) {
             serverURL = this.configuration.getPlantUMLServerURL();
         }
+
+        // Verify that the server is in the trusted domain list to avoid SSRF attacks.
+        if (serverURL != null) {
+            URL url;
+            try {
+                url = new URL(serverURL);
+            } catch (MalformedURLException e) {
+                throw new MacroExecutionException(String.format("Invalid PlantUML Server URL [%s]", serverURL), e);
+            }
+            if (!this.urlSecurityManager.isDomainTrusted(url)) {
+                throw new MacroExecutionException(String.format("The PlantUML Server URL [%s] is not in the list of "
+                    + "trusted domains.", serverURL));
+            }
+        }
+
         return serverURL;
     }
  • macro-plantuml-macro/src/test/java/org/xwiki/contrib/plantuml/IntegrationTests.java+5 0 modified
    @@ -21,6 +21,7 @@
 
 import java.io.IOException;
 import java.net.ServerSocket;
+import java.net.URL;
 
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
@@ -36,6 +37,7 @@
 import org.xwiki.test.XWikiTempDirUtil;
 import org.xwiki.test.annotation.AllComponents;
 import org.xwiki.test.mockito.MockitoComponentManager;
+import org.xwiki.url.URLSecurityManager;
 import org.xwiki.wiki.descriptor.WikiDescriptorManager;
 
 import net.sourceforge.plantuml.picoweb.PicoWebServer;
@@ -109,5 +111,8 @@ public void initialize(MockitoComponentManager componentManager) throws Exceptio
         componentManager.unregisterComponent(EventListener.class, "refactoring.relativeLinksUpdater");
         componentManager.unregisterComponent(EventListener.class, "refactoring.backLinksUpdater");
         componentManager.registerMockComponent(PlantUMLConfiguration.class);
+
+        URLSecurityManager urlSecurityManager = componentManager.registerMockComponent(URLSecurityManager.class);
+        when(urlSecurityManager.isDomainTrusted(new URL("http://localhost:8777"))).thenReturn(true);
     }
 }
\ No newline at end of file
  • macro-plantuml-macro/src/test/resources/macroplantuml2.test+3 3 modified
    @@ -1,8 +1,8 @@
 .runTransformations
-.#-----------------------------------------------------
+.#----------------------------------------------------------------------------------
 .input|xwiki/2.0
-.# Test the PlantUML macro with a PlantUML server
-.#-----------------------------------------------------
+.# Test the PlantUML macro with a PlantUML server that is in the trusted domain list
+.#----------------------------------------------------------------------------------
 {{plantuml server="http://localhost:8777"}}
 @startuml
 Bob -> Alice : hello
  • macro-plantuml-macro/src/test/resources/macroplantuml6.test+27 0 added
    @@ -0,0 +1,27 @@
+.runTransformations
+.#--------------------------------------------------------------------------------------
+.input|xwiki/2.0
+.# Test the PlantUML macro with a PlantUML server that is not in the trusted domain list
+.#--------------------------------------------------------------------------------------
+{{plantuml server="http://nottrusteddomain"}}
+@startuml
+Bob -> Alice : hello
+@enduml
+{{/plantuml}}
+.#-----------------------------------------------------
+.expect|event/1.0
+.#-----------------------------------------------------
+beginDocument
+beginMacroMarkerStandalone [plantuml] [server=http://nottrusteddomain] [@startuml
+Bob -> Alice : hello
+@enduml]
+beginGroup [[class]=[xwikirenderingerror]]
+onWord [Failed to execute the PlantUML macro. Cause: [The PlantUML Server URL [http://nottrusteddomain] is not in the list of trusted domains.]. Click on this message for details.]
+endGroup [[class]=[xwikirenderingerror]]
+beginGroup [[class]=[xwikirenderingerrordescription hidden]]
+onVerbatim [org.xwiki.rendering.macro.MacroExecutionException: The PlantUML Server URL [http://nottrusteddomain] is not in the list of trusted domains.${{{regex:.*}}}] [false]
+endGroup [[class]=[xwikirenderingerrordescription hidden]]
+endMacroMarkerStandalone [plantuml] [server=http://nottrusteddomain] [@startuml
+Bob -> Alice : hello
+@enduml]
+endDocument
  • pom.xml+1 1 modified
    @@ -25,7 +25,7 @@
   <parent>
     <groupId>org.xwiki.contrib</groupId>
     <artifactId>parent-platform</artifactId>
-    <version>12.10-1</version>
+    <version>12.10.11</version>
   </parent>
   <groupId>org.xwiki.contrib.plantuml</groupId>
   <artifactId>macro-plantuml</artifactId>
  • README.md+1 1 modified
    @@ -9,7 +9,7 @@ Generate diagram images from textual definitions in various syntaxes, using [Pla
 * [Issue Tracker](https://jira.xwiki.org/browse/PLANTUML)
 * Communication: [Forum](https://dev.xwiki.org/xwiki/bin/view/Community/Discuss), [Chat](https://dev.xwiki.org/xwiki/bin/view/Community/Chat)
 * [Development Practices](https://dev.xwiki.org)
-* Minimal XWiki version supported: XWiki 12.10
+* Minimal XWiki version supported: XWiki 12.10.11
 * License: LGPL 2.1
 * Translations: N/A
 * Sonar Dashboard: [![Status](https://sonarcloud.io/api/project_badges/measure?project=org.xwiki.contrib.plantuml:macro-plantuml&metric=alert_status)](https://sonarcloud.io/dashboard?id=org.xwiki.contrib.plantuml:macro-plantuml)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.