VYPR

Vendor CVEs

Jgraph

All CVEs

28 total · sorted by risk
  • CVE-2026-46642MedJun 10, 2026
    risk 0.33cvss 6.1epss 0.00

    draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the…

  • CVE-2026-42195LowMay 8, 2026
    risk 0.15cvss 3.4epss 0.00

    draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in…

  • CVE-2022-1713May 16, 2022
    risk 0.01cvss epss 0.09

    SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.

  • CVE-2023-3975Jul 27, 2023
    risk 0.00cvss epss 0.02

    OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.

  • CVE-2023-3974Jul 27, 2023
    risk 0.00cvss epss 0.01

    OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.

  • CVE-2023-3973Jul 27, 2023
    risk 0.00cvss epss 0.00

    Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.

  • CVE-2023-3398Jun 26, 2023
    risk 0.00cvss epss 0.01

    Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.

  • CVE-2023-3026Jun 1, 2023
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.

  • CVE-2022-3873Nov 7, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.

  • CVE-2022-3223Sep 16, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1.

  • CVE-2022-3133Sep 9, 2022
    risk 0.00cvss epss 0.01

    OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.

  • CVE-2022-3138Sep 8, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.

  • CVE-2022-3148Sep 8, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.

  • CVE-2022-3127Sep 5, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.

  • CVE-2022-3065Sep 2, 2022
    risk 0.00cvss epss 0.01

    Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.

  • CVE-2022-2015Jun 8, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2.

  • CVE-2022-2014Jun 8, 2022
    risk 0.00cvss epss 0.01

    Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.

  • CVE-2022-1815May 25, 2022
    risk 0.00cvss epss 0.06

    Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.

  • CVE-2022-1784May 20, 2022
    risk 0.00cvss epss 0.02

    Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8.

  • CVE-2022-1730May 19, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4.

  • CVE-2022-1774May 18, 2022
    risk 0.00cvss epss 0.01

    Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7.

  • CVE-2022-1767May 18, 2022
    risk 0.00cvss epss 0.02

    Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.

  • CVE-2022-1727May 18, 2022
    risk 0.00cvss epss 0.01

    Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6.

  • CVE-2022-1711May 17, 2022
    risk 0.00cvss epss 0.05

    Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5.

  • CVE-2022-1723May 17, 2022
    risk 0.00cvss epss 0.02

    Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6.

  • CVE-2022-1721May 16, 2022
    risk 0.00cvss epss 0.02

    Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application.

  • CVE-2022-1722May 16, 2022
    risk 0.00cvss epss 0.01

    SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses

  • CVE-2022-1575May 5, 2022
    risk 0.00cvss epss 0.02

    Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.