Vulnerability Details CVE-2026-0858
Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 2.0%
CVSS Severity
CVSS v3 Score 6.1
References
Products affected by CVE-2026-0858
-
cpe:2.3:a:plantuml:plantuml:1.2017.12
-
cpe:2.3:a:plantuml:plantuml:1.2017.13
-
cpe:2.3:a:plantuml:plantuml:1.2017.14
-
cpe:2.3:a:plantuml:plantuml:1.2017.15
-
cpe:2.3:a:plantuml:plantuml:1.2017.17
-
cpe:2.3:a:plantuml:plantuml:1.2017.18
-
cpe:2.3:a:plantuml:plantuml:1.2017.19
-
cpe:2.3:a:plantuml:plantuml:1.2017.20
-
cpe:2.3:a:plantuml:plantuml:1.2018.0
-
cpe:2.3:a:plantuml:plantuml:1.2018.1
-
cpe:2.3:a:plantuml:plantuml:1.2018.10
-
cpe:2.3:a:plantuml:plantuml:1.2018.11
-
cpe:2.3:a:plantuml:plantuml:1.2018.12
-
cpe:2.3:a:plantuml:plantuml:1.2018.13
-
cpe:2.3:a:plantuml:plantuml:1.2018.14
-
cpe:2.3:a:plantuml:plantuml:1.2018.2
-
cpe:2.3:a:plantuml:plantuml:1.2018.3
-
cpe:2.3:a:plantuml:plantuml:1.2018.4
-
cpe:2.3:a:plantuml:plantuml:1.2018.5
-
cpe:2.3:a:plantuml:plantuml:1.2018.6
-
cpe:2.3:a:plantuml:plantuml:1.2018.7
-
cpe:2.3:a:plantuml:plantuml:1.2018.8
-
cpe:2.3:a:plantuml:plantuml:1.2018.9
-
cpe:2.3:a:plantuml:plantuml:1.2019.0
-
cpe:2.3:a:plantuml:plantuml:1.2019.1
-
cpe:2.3:a:plantuml:plantuml:1.2019.10
-
cpe:2.3:a:plantuml:plantuml:1.2019.11
-
cpe:2.3:a:plantuml:plantuml:1.2019.12
-
cpe:2.3:a:plantuml:plantuml:1.2019.13
-
cpe:2.3:a:plantuml:plantuml:1.2019.2
-
cpe:2.3:a:plantuml:plantuml:1.2019.4
-
cpe:2.3:a:plantuml:plantuml:1.2019.5
-
cpe:2.3:a:plantuml:plantuml:1.2019.6
-
cpe:2.3:a:plantuml:plantuml:1.2019.7
-
cpe:2.3:a:plantuml:plantuml:1.2019.8
-
cpe:2.3:a:plantuml:plantuml:1.2019.9
-
cpe:2.3:a:plantuml:plantuml:1.2020.0
-
cpe:2.3:a:plantuml:plantuml:1.2020.1
-
cpe:2.3:a:plantuml:plantuml:1.2020.10
-
cpe:2.3:a:plantuml:plantuml:1.2020.11
-
cpe:2.3:a:plantuml:plantuml:1.2020.12
-
cpe:2.3:a:plantuml:plantuml:1.2020.13
-
cpe:2.3:a:plantuml:plantuml:1.2020.14
-
cpe:2.3:a:plantuml:plantuml:1.2020.15
-
cpe:2.3:a:plantuml:plantuml:1.2020.16
-
cpe:2.3:a:plantuml:plantuml:1.2020.17
-
cpe:2.3:a:plantuml:plantuml:1.2020.18
-
cpe:2.3:a:plantuml:plantuml:1.2020.19
-
cpe:2.3:a:plantuml:plantuml:1.2020.2
-
cpe:2.3:a:plantuml:plantuml:1.2020.20
-
cpe:2.3:a:plantuml:plantuml:1.2020.21
-
cpe:2.3:a:plantuml:plantuml:1.2020.22
-
cpe:2.3:a:plantuml:plantuml:1.2020.23
-
cpe:2.3:a:plantuml:plantuml:1.2020.24
-
cpe:2.3:a:plantuml:plantuml:1.2020.26
-
cpe:2.3:a:plantuml:plantuml:1.2020.3
-
cpe:2.3:a:plantuml:plantuml:1.2020.4
-
cpe:2.3:a:plantuml:plantuml:1.2020.6
-
cpe:2.3:a:plantuml:plantuml:1.2020.7
-
cpe:2.3:a:plantuml:plantuml:1.2020.8
-
cpe:2.3:a:plantuml:plantuml:1.2020.9
-
cpe:2.3:a:plantuml:plantuml:1.2021.0
-
cpe:2.3:a:plantuml:plantuml:1.2021.1
-
cpe:2.3:a:plantuml:plantuml:1.2021.10
-
cpe:2.3:a:plantuml:plantuml:1.2021.12
-
cpe:2.3:a:plantuml:plantuml:1.2021.13
-
cpe:2.3:a:plantuml:plantuml:1.2021.14
-
cpe:2.3:a:plantuml:plantuml:1.2021.15
-
cpe:2.3:a:plantuml:plantuml:1.2021.16
-
cpe:2.3:a:plantuml:plantuml:1.2021.2
-
cpe:2.3:a:plantuml:plantuml:1.2021.3
-
cpe:2.3:a:plantuml:plantuml:1.2021.4
-
cpe:2.3:a:plantuml:plantuml:1.2021.5
-
cpe:2.3:a:plantuml:plantuml:1.2021.6
-
cpe:2.3:a:plantuml:plantuml:1.2021.7
-
cpe:2.3:a:plantuml:plantuml:1.2021.8
-
cpe:2.3:a:plantuml:plantuml:1.2021.9
-
cpe:2.3:a:plantuml:plantuml:1.2022.0
-
cpe:2.3:a:plantuml:plantuml:1.2022.1
-
cpe:2.3:a:plantuml:plantuml:1.2022.10
-
cpe:2.3:a:plantuml:plantuml:1.2022.11
-
cpe:2.3:a:plantuml:plantuml:1.2022.12
-
cpe:2.3:a:plantuml:plantuml:1.2022.13
-
cpe:2.3:a:plantuml:plantuml:1.2022.14
-
cpe:2.3:a:plantuml:plantuml:1.2022.2
-
cpe:2.3:a:plantuml:plantuml:1.2022.3
-
cpe:2.3:a:plantuml:plantuml:1.2022.4
-
cpe:2.3:a:plantuml:plantuml:1.2022.5
-
cpe:2.3:a:plantuml:plantuml:1.2022.6
-
cpe:2.3:a:plantuml:plantuml:1.2022.7
-
cpe:2.3:a:plantuml:plantuml:1.2022.8
-
cpe:2.3:a:plantuml:plantuml:1.2022.9
-
cpe:2.3:a:plantuml:plantuml:1.2023.0
-
cpe:2.3:a:plantuml:plantuml:1.2023.1
-
cpe:2.3:a:plantuml:plantuml:1.2023.10
-
cpe:2.3:a:plantuml:plantuml:1.2023.11
-
cpe:2.3:a:plantuml:plantuml:1.2023.12
-
cpe:2.3:a:plantuml:plantuml:1.2023.13
-
cpe:2.3:a:plantuml:plantuml:1.2023.2
-
cpe:2.3:a:plantuml:plantuml:1.2023.3
-
cpe:2.3:a:plantuml:plantuml:1.2023.4
-
cpe:2.3:a:plantuml:plantuml:1.2023.5
-
cpe:2.3:a:plantuml:plantuml:1.2023.6
-
cpe:2.3:a:plantuml:plantuml:1.2023.7
-
cpe:2.3:a:plantuml:plantuml:1.2023.8
-
cpe:2.3:a:plantuml:plantuml:1.2023.9
-
cpe:2.3:a:plantuml:plantuml:1.2024.0
-
cpe:2.3:a:plantuml:plantuml:1.2024.1
-
cpe:2.3:a:plantuml:plantuml:1.2024.2
-
cpe:2.3:a:plantuml:plantuml:1.2024.3
-
cpe:2.3:a:plantuml:plantuml:1.2024.4
-
cpe:2.3:a:plantuml:plantuml:1.2024.5
-
cpe:2.3:a:plantuml:plantuml:1.2024.6
-
cpe:2.3:a:plantuml:plantuml:1.2024.7
-
cpe:2.3:a:plantuml:plantuml:1.2024.8
-
cpe:2.3:a:plantuml:plantuml:1.2025.0
-
cpe:2.3:a:plantuml:plantuml:1.2025.1
-
cpe:2.3:a:plantuml:plantuml:1.2025.10
-
cpe:2.3:a:plantuml:plantuml:1.2025.2
-
cpe:2.3:a:plantuml:plantuml:1.2025.3
-
cpe:2.3:a:plantuml:plantuml:1.2025.4
-
cpe:2.3:a:plantuml:plantuml:1.2025.5
-
cpe:2.3:a:plantuml:plantuml:1.2025.6
-
cpe:2.3:a:plantuml:plantuml:1.2025.7
-
cpe:2.3:a:plantuml:plantuml:1.2025.8
-
cpe:2.3:a:plantuml:plantuml:1.2025.9