draw.io: XSS via crafted cell label when opening a .drawio file
CVE-2026-46642

6.1MEDIUM

Key Information:

Vendor: Jgraph
Status: Drawio
Vendor: CVE Published:; 10 June 2026

What is CVE-2026-46642?

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.

Affected Version(s)

drawio < 29.7.12

References

https://github.com/jgraph/drawio/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/jgraph/drawio/releases/tag/v29.7.12

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2026
Vulnerability Reserved
May 15, 2026

CVE-2026-46642 Data

JSON

Jgraph

What is CVE-2026-46642?

Affected Version(s)

References

CVSS V3.1

Timeline