CVE-2026-42140
Server-Side Request Forgery in PlantUML Macro for XWiki
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| plantuml | macro | to 2.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the PlantUML Macro, which is used to render UML diagrams from simple text. Before version 2.4.1, the macro allowed users to specify an alternative PlantUML server via a server parameter without validating the supplied URL. This lack of validation enables an attacker to provide an internal IP address or a malicious external URL. As a result, the XWiki server attempts to connect to this attacker-controlled URL to render the diagram, leading to a Server-Side Request Forgery (SSRF) vulnerability.
How can this vulnerability impact me? :
This SSRF vulnerability can allow an attacker to make the XWiki server send requests to internal or external systems that the attacker normally cannot access. This could lead to unauthorized access to internal network resources, information disclosure, or interaction with internal services. The attacker might exploit this to gather sensitive information or perform further attacks within the internal network.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the PlantUML Macro to version 2.4.1 or later, where the issue has been patched.