CVE-2026-0858
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-04-29
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| net.sourceforge.plantuml | plantuml | to 1.2026.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0858 is a Stored Cross-Site Scripting (XSS) vulnerability in the PlantUML package before version 1.2026.0. It occurs because the software does not properly sanitize interactive attributes in GraphViz diagrams. An attacker can craft a malicious PlantUML diagram that injects harmful JavaScript into the SVG output generated by PlantUML. When an application renders this SVG, the malicious script executes in the context of that application, potentially allowing arbitrary script execution. [3]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary script execution in applications that render the malicious SVG output generated by PlantUML. This means an attacker could execute JavaScript code within the context of the affected application, potentially leading to unauthorized actions, data theft, or manipulation of the application's behavior. The attack requires user interaction to trigger the script execution, but no special privileges are needed by the attacker. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by identifying if your system is running a vulnerable version of PlantUML (versions before 1.2026.0) that generates SVG output from GraphViz diagrams. Specifically, look for SVG files generated by PlantUML that may contain malicious JavaScript injected via interactive attributes. There are no specific commands provided in the resources, but you can check the PlantUML version installed by running commands like `plantuml -version` or inspecting the package version in your environment. Additionally, scanning SVG files generated by PlantUML for suspicious script tags or JavaScript event handlers could help detect exploitation attempts. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the PlantUML package to version 1.2026.0 or later, where the vulnerability has been fixed by disabling SVG export from the vulnerable GraphViz integration. This prevents the generation of unsafe SVG content that could contain malicious JavaScript. [3, 2]