Server-Side Request Forgery Vulnerability in PlantUML Macro by XWiki
CVE-2026-42140

4.4MEDIUM

Key Information:

Vendor

Xwiki-contrib

Status
Macro-plantuml
Vendor
CVE Published:
4 May 2026

What is CVE-2026-42140?

The PlantUML Macro for XWiki is susceptible to Server-Side Request Forgery (SSRF) due to improper validation of URLs supplied by users. This flaw allows attackers to specify an arbitrary PlantUML server through a parameter, potentially enabling them to connect to sensitive internal services or external malicious URLs when attempting to render UML diagrams. An update has been made in version 2.4.1 to address this security issue.

Affected Version(s)

macro-plantuml < 2.4.1

References

https://github.com/xwiki-contrib/macro-plantuml/security/...
x_refsource_CONFIRM
https://github.com/xwiki-contrib/macro-plantuml/commit/c8...
x_refsource_MISC
https://jira.xwiki.org/browse/PLANTUML-25
x_refsource_MISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.