CVE-2026-0858
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-16

Last updated on: 2026-04-29

Assigner: Snyk

Description
Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0858
EUVD
EUVD-2026-2918
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
net.sourceforge.plantuml plantuml to 1.2026.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0858 is a Stored Cross-Site Scripting (XSS) vulnerability in the PlantUML package before version 1.2026.0. It occurs because the software does not properly sanitize interactive attributes in GraphViz diagrams. An attacker can craft a malicious PlantUML diagram that injects harmful JavaScript into the SVG output generated by PlantUML. When an application renders this SVG, the malicious script executes in the context of that application, potentially allowing arbitrary script execution. [3]

Impact Analysis

This vulnerability can lead to arbitrary script execution in applications that render the malicious SVG output generated by PlantUML. This means an attacker could execute JavaScript code within the context of the affected application, potentially leading to unauthorized actions, data theft, or manipulation of the application's behavior. The attack requires user interaction to trigger the script execution, but no special privileges are needed by the attacker. [3]

Detection Guidance

You can detect this vulnerability by identifying if your system is running a vulnerable version of PlantUML (versions before 1.2026.0) that generates SVG output from GraphViz diagrams. Specifically, look for SVG files generated by PlantUML that may contain malicious JavaScript injected via interactive attributes. There are no specific commands provided in the resources, but you can check the PlantUML version installed by running commands like `plantuml -version` or inspecting the package version in your environment. Additionally, scanning SVG files generated by PlantUML for suspicious script tags or JavaScript event handlers could help detect exploitation attempts. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade the PlantUML package to version 1.2026.0 or later, where the vulnerability has been fixed by disabling SVG export from the vulnerable GraphViz integration. This prevents the generation of unsafe SVG content that could contain malicious JavaScript. [3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart