{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0858", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2026-01-12T09:57:41.760Z", "datePublished": "2026-01-16T05:00:06.808Z", "dateUpdated": "2026-01-16T14:10:00.485Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P"}, "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P"}}], "credits": [{"value": "Catalin Iovita (Snyk Security Research)", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Stored XSS", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-01-16T05:00:06.808Z"}, "descriptions": [{"value": "Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230"}, {"url": "https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd"}, {"url": "https://github.com/plantuml/plantuml/releases/tag/v1.2026.0"}], "affected": [{"product": "net.sourceforge.plantuml:plantuml", "versions": [{"version": "0", "lessThan": "1.2026.0", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T14:09:52.779738Z", "id": "CVE-2026-0858", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:10:00.485Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0858", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T14:09:52.779738Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:09:56.891Z"}}], "cna": {"credits": [{"lang": "en", "value": "Catalin Iovita (Snyk Security Research)"}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "confidentialityImpact": "LOW"}, "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "n/a", "product": "net.sourceforge.plantuml:plantuml", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2026.0", "versionType": "semver"}]}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230"}, {"url": "https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd"}, {"url": "https://github.com/plantuml/plantuml/releases/tag/v1.2026.0"}], "descriptions": [{"lang": "en", "value": "Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "Stored XSS"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-01-16T05:00:06.808Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0858", "state": "PUBLISHED", "dateUpdated": "2026-01-16T14:10:00.485Z", "dateReserved": "2026-01-12T09:57:41.760Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2026-01-16T05:00:06.808Z", "assignerShortName": "snyk"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plantuml:plantuml:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E36C622-030B-42A0-9663-4E1071E0882C", "versionEndExcluding": "1.2026.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG."}, {"lang": "es", "value": "Versiones del paquete net.sourceforge.plantuml:plantuml anteriores a 1.2026.0 son vulnerables a XSS Almacenado debido a una sanitizaci\u00f3n insuficiente de atributos interactivos en diagramas de GraphViz. Como resultado, un diagrama PlantUML manipulado puede inyectar JavaScript malicioso en la salida SVG generada, lo que lleva a la ejecuci\u00f3n arbitraria de scripts en el contexto de aplicaciones que renderizan el SVG."}], "id": "CVE-2026-0858", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "report@snyk.io", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2026-01-16T05:16:16.117", "references": [{"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd"}, {"source": "report@snyk.io", "tags": ["Release Notes"], "url": "https://github.com/plantuml/plantuml/releases/tag/v1.2026.0"}, {"source": "report@snyk.io", "tags": ["Vendor Advisory", "Patch"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "report@snyk.io", "type": "Secondary"}]}

{"bugzilla": {"description": "plantuml: PlantUML: Arbitrary script execution via Stored Cross-Site Scripting in GraphViz diagrams", "id": "2430303", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430303"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "details": ["A flaw was found in PlantUML. This vulnerability, known as Stored Cross-Site Scripting (XSS), occurs due to insufficient sanitization of interactive attributes within GraphViz diagrams. A remote attacker can exploit this by crafting a malicious PlantUML diagram, which then injects harmful JavaScript into the generated Scalable Vector Graphics (SVG) output. This can lead to arbitrary script execution within applications that render the affected SVG."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, avoid processing or rendering PlantUML diagrams from untrusted sources. If processing untrusted diagrams is unavoidable, ensure that the environment where the SVG output is rendered is adequately sandboxed to limit the impact of potential script execution. This operational control helps reduce exposure to the Stored XSS flaw."}, "name": "CVE-2026-0858", "package_state": [{"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/grafana-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-cni-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-must-gather-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-operator-bundle", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/istio-rhel8-operator", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/pilot-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/proxyv2-rhel9", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/ratelimit-rhel8", "product_name": "OpenShift Service Mesh 2"}], "public_date": "2026-01-16T05:00:06Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-0858\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0858\nhttps://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd\nhttps://github.com/plantuml/plantuml/releases/tag/v1.2026.0\nhttps://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230"], "statement": "This vulnerability is rated Moderate for Red Hat. It affects PlantUML versions prior to 1.2026.0, allowing Stored Cross-Site Scripting (XSS) through crafted GraphViz diagrams. When a malicious PlantUML diagram is processed, it can inject arbitrary JavaScript into the generated SVG output, which then executes in the context of applications rendering the SVG. Exploitation requires user interaction with a crafted diagram.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T05:50:12.158592+00:00", "value": {"mitigation_remediation": ["Upgrade to PlantUML v1.2026.0 or later, which removes the insecure handling of interactive GraphViz attributes.", "If upgrading is delayed, sanitize or strip interactive attributes from any generated SVG before it is served to users, and restrict the use of untrusted diagram input.", "Monitor application logs for signs of injected script execution and disable diagram import functionality if it is not essential to operations."], "summary": {"action": "Patch", "impact": "Script execution via stored XSS"}, "threat_synthesis": {"affected_systems": "PlantUML (net.sourceforge.plantuml:plantuml) versions older than 1.2026.0 are affected. Clients that generate or display GraphViz diagrams with these older versions can be exploited.", "description_and_impact": "The vulnerability is a stored cross\u2011site scripting flaw that originates from insufficient sanitization of interactive attributes in GraphViz diagrams produced by PlantUML. A maliciously crafted diagram can inject JavaScript into the resulting SVG, which then executes with the privileges of any application that renders the SVG. This is an input validation weakness, classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate risk, while the EPSS score of less than 1\u202f% shows a very low probability of exploitation, and it is not listed in the CISA KEV catalog. Exploitation requires that an attacker supply a PlantUML diagram that the application stores and later renders as SVG; the injected script runs in the context of the rendering application or the user's session, potentially enabling data theft or session hijacking. Attackers with the ability to influence the content rendered by the vulnerable application are the primary threat actors."}}}}, "created": "2026-01-16T13:41:45.494029+00:00", "updated": "2026-04-18T06:00:08.486691+00:00", "vendors": ["plantuml", "plantuml$PRODUCT$plantuml"]}