Vendor CVEs
Jgraph
All CVEs
28 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46642 | Med | 0.33 | 6.1 | 0.00 | Jun 10, 2026 | draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the… | ||
| CVE-2026-42195 | Low | 0.15 | 3.4 | 0.00 | May 8, 2026 | draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in… | ||
| CVE-2022-1713 | 0.01 | — | 0.09 | May 16, 2022 | SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information. | |||
| CVE-2023-3975 | 0.00 | — | 0.02 | Jul 27, 2023 | OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0. | |||
| CVE-2023-3974 | 0.00 | — | 0.01 | Jul 27, 2023 | OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0. | |||
| CVE-2023-3973 | 0.00 | — | 0.00 | Jul 27, 2023 | Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3. | |||
| CVE-2023-3398 | 0.00 | — | 0.01 | Jun 26, 2023 | Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3. | |||
| CVE-2023-3026 | 0.00 | — | 0.01 | Jun 1, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8. | |||
| CVE-2022-3873 | 0.00 | — | 0.01 | Nov 7, 2022 | Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2. | |||
| CVE-2022-3223 | 0.00 | — | 0.01 | Sep 16, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1. | |||
| CVE-2022-3133 | 0.00 | — | 0.01 | Sep 9, 2022 | OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0. | |||
| CVE-2022-3138 | 0.00 | — | 0.01 | Sep 8, 2022 | Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. | |||
| CVE-2022-3148 | 0.00 | — | 0.01 | Sep 8, 2022 | Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. | |||
| CVE-2022-3127 | 0.00 | — | 0.01 | Sep 5, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8. | |||
| CVE-2022-3065 | 0.00 | — | 0.01 | Sep 2, 2022 | Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8. | |||
| CVE-2022-2015 | 0.00 | — | 0.01 | Jun 8, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2. | |||
| CVE-2022-2014 | 0.00 | — | 0.01 | Jun 8, 2022 | Code Injection in GitHub repository jgraph/drawio prior to 19.0.2. | |||
| CVE-2022-1815 | 0.00 | — | 0.06 | May 25, 2022 | Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2. | |||
| CVE-2022-1784 | 0.00 | — | 0.02 | May 20, 2022 | Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. | |||
| CVE-2022-1730 | 0.00 | — | 0.01 | May 19, 2022 | Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4. | |||
| CVE-2022-1774 | 0.00 | — | 0.01 | May 18, 2022 | Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7. | |||
| CVE-2022-1767 | 0.00 | — | 0.02 | May 18, 2022 | Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7. | |||
| CVE-2022-1727 | 0.00 | — | 0.01 | May 18, 2022 | Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6. | |||
| CVE-2022-1711 | 0.00 | — | 0.05 | May 17, 2022 | Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5. | |||
| CVE-2022-1723 | 0.00 | — | 0.02 | May 17, 2022 | Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6. | |||
| CVE-2022-1721 | 0.00 | — | 0.02 | May 16, 2022 | Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application. | |||
| CVE-2022-1722 | 0.00 | — | 0.01 | May 16, 2022 | SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses | |||
| CVE-2022-1575 | 0.00 | — | 0.02 | May 5, 2022 | Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app. |
- risk 0.33cvss 6.1epss 0.00
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the…
- risk 0.15cvss 3.4epss 0.00
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in…
- CVE-2022-1713May 16, 2022risk 0.01cvss —epss 0.09
SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.
- CVE-2023-3975Jul 27, 2023risk 0.00cvss —epss 0.02
OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.
- CVE-2023-3974Jul 27, 2023risk 0.00cvss —epss 0.01
OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.
- CVE-2023-3973Jul 27, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.
- CVE-2023-3398Jun 26, 2023risk 0.00cvss —epss 0.01
Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.
- CVE-2023-3026Jun 1, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.
- CVE-2022-3873Nov 7, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.
- CVE-2022-3223Sep 16, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1.
- CVE-2022-3133Sep 9, 2022risk 0.00cvss —epss 0.01
OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.
- CVE-2022-3138Sep 8, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
- CVE-2022-3148Sep 8, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.
- CVE-2022-3127Sep 5, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.
- CVE-2022-3065Sep 2, 2022risk 0.00cvss —epss 0.01
Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.
- CVE-2022-2015Jun 8, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2.
- CVE-2022-2014Jun 8, 2022risk 0.00cvss —epss 0.01
Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.
- CVE-2022-1815May 25, 2022risk 0.00cvss —epss 0.06
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
- CVE-2022-1784May 20, 2022risk 0.00cvss —epss 0.02
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8.
- CVE-2022-1730May 19, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4.
- CVE-2022-1774May 18, 2022risk 0.00cvss —epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7.
- CVE-2022-1767May 18, 2022risk 0.00cvss —epss 0.02
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.
- CVE-2022-1727May 18, 2022risk 0.00cvss —epss 0.01
Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6.
- CVE-2022-1711May 17, 2022risk 0.00cvss —epss 0.05
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5.
- CVE-2022-1723May 17, 2022risk 0.00cvss —epss 0.02
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6.
- CVE-2022-1721May 16, 2022risk 0.00cvss —epss 0.02
Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application.
- CVE-2022-1722May 16, 2022risk 0.00cvss —epss 0.01
SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses
- CVE-2022-1575May 5, 2022risk 0.00cvss —epss 0.02
Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.