Aggregates CVE and security vulnerability intelligence across all diagrams-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk ssrf, vendor risk path handling, and vendor risk open redirect and related problems; some flaws may lead to vendor impact file overwrite and vendor impact unexpected behavior.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-46642 | draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads e | [email protected] | 6.1 | 0.18% | 2026-06-10 | 2026-06-17 |
| CVE-2023-3975 | OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0. | [email protected] | 9.8 | 1.94% | 2023-07-27 | 2026-06-17 |
| CVE-2023-3974 | OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0. | [email protected] | 9.8 | 1.07% | 2023-07-27 | 2026-06-17 |
| CVE-2023-3973 | Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3. | [email protected] | 6.1 | 0.35% | 2023-07-27 | 2026-06-17 |
| CVE-2023-3398 | Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3. | [email protected] | 7.5 | 0.78% | 2023-06-26 | 2026-06-17 |
| CVE-2023-3026 | Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8. | [email protected] | 6.1 | 0.53% | 2023-05-31 | 2026-06-17 |
| CVE-2022-3873 | Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2. | [email protected] | 6.1 | 0.62% | 2022-11-07 | 2026-06-17 |
| CVE-2022-3223 | Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1. | [email protected] | 6.1 | 0.59% | 2022-09-16 | 2026-06-17 |
| CVE-2022-3133 | OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0. | [email protected] | 7.8 | 1.30% | 2022-09-09 | 2026-06-17 |
| CVE-2022-3148 | Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. | [email protected] | 6.1 | 0.50% | 2022-09-08 | 2026-06-17 |
| CVE-2022-3138 | Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0. | [email protected] | 6.1 | 0.50% | 2022-09-08 | 2026-06-17 |
| CVE-2022-3127 | Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8. | [email protected] | 5.4 | 0.47% | 2022-09-05 | 2026-06-17 |
| CVE-2022-3065 | Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8. | [email protected] | 7.5 | 0.98% | 2022-09-02 | 2026-06-17 |
| CVE-2022-2015 | Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2. | [email protected] | 5.4 | 0.60% | 2022-06-09 | 2026-06-17 |
| CVE-2022-2014 | Code Injection in GitHub repository jgraph/drawio prior to 19.0.2. | [email protected] | 5.4 | 0.69% | 2022-06-09 | 2026-06-17 |
| CVE-2022-1815 | Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2. | [email protected] | 7.5 | 5.70% | 2022-05-25 | 2026-06-17 |
| CVE-2022-1784 | Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8. | [email protected] | 7.5 | 1.69% | 2022-05-20 | 2026-06-17 |
| CVE-2022-1730 | Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4. | [email protected] | 4.6 | 0.58% | 2022-05-19 | 2026-06-17 |
| CVE-2022-1774 | Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7. | [email protected] | 6.1 | 1.12% | 2022-05-18 | 2026-06-17 |
| CVE-2022-1767 | Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7. | [email protected] | 7.5 | 1.70% | 2022-05-18 | 2026-06-17 |