ReportizFlow
Filtered by vendor Diagrams
Subscriptions
Total
27 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-46642 | 2 Diagrams, Jgraph | 2 Drawio, Drawio | 2026-06-16 | 6.1 Medium |
| draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12. | ||||
| CVE-2022-3873 | 1 Diagrams | 1 Drawio | 2025-05-01 | 6.1 Medium |
| Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2. | ||||
| CVE-2023-3026 | 1 Diagrams | 1 Drawio | 2025-01-10 | 6.1 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8. | ||||
| CVE-2023-3398 | 1 Diagrams | 1 Drawio | 2024-12-03 | 7.5 High |
| Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3. | ||||
| CVE-2023-3975 | 2 Diagrams, Jgraph | 2 Drawio, Drawio | 2024-11-21 | 9.8 Critical |
| OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0. | ||||
| CVE-2023-3974 | 2 Diagrams, Jgraph | 2 Drawio, Drawio | 2024-11-21 | 9.8 Critical |
| OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0. | ||||
| CVE-2023-3973 | 2 Diagrams, Jgraph | 2 Drawio, Drawio | 2024-11-21 | 6.1 Medium |
| Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3. | ||||
| CVE-2022-3223 | 1 Diagrams | 1 Drawio | 2024-11-21 | 6.1 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1. | ||||
| CVE-2022-3148 | 1 Diagrams | 1 Drawio | 2024-11-21 | 6.1 Medium |
| Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. | ||||
| CVE-2022-3138 | 1 Diagrams | 1 Drawio | 2024-11-21 | 6.1 Medium |
| Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. | ||||
| CVE-2022-3133 | 1 Diagrams | 1 Drawio | 2024-11-21 | 7.8 High |
| OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0. | ||||
| CVE-2022-3127 | 1 Diagrams | 1 Drawio | 2024-11-21 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8. | ||||
| CVE-2022-3065 | 1 Diagrams | 1 Drawio | 2024-11-21 | 7.5 High |
| Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8. | ||||
| CVE-2022-2015 | 1 Diagrams | 1 Drawio | 2024-11-21 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2. | ||||
| CVE-2022-2014 | 1 Diagrams | 1 Drawio | 2024-11-21 | 5.4 Medium |
| Code Injection in GitHub repository jgraph/drawio prior to 19.0.2. | ||||
| CVE-2022-1815 | 1 Diagrams | 1 Drawio | 2024-11-21 | 7.5 High |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2. | ||||
| CVE-2022-1784 | 1 Diagrams | 1 Drawio | 2024-11-21 | 7.5 High |
| Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. | ||||
| CVE-2022-1774 | 1 Diagrams | 1 Drawio | 2024-11-21 | 6.1 Medium |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7. | ||||
| CVE-2022-1767 | 1 Diagrams | 1 Drawio | 2024-11-21 | 7.5 High |
| Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7. | ||||
| CVE-2022-1730 | 1 Diagrams | 1 Drawio | 2024-11-21 | 4.6 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4. | ||||