MEDIUM 6.1

CVE-2026-46642: draw.io XSS Vulnerability – Patch to 29.7.12

draw.io versions before 29.7.12 contain a stored cross-site scripting (XSS) vulnerability triggered when a crafted diagram file (.drawio) is opened. A malicious diagram can embed JavaScript code disguised as image markup that executes in the editor's security context as soon as the file is imported. The vulnerability stems not from the display rendering logic—which properly sanitizes content—but from a feature-detection routine in the Text Format panel that reads raw cell labels and inserts them into the DOM without validation. Attackers can craft and distribute poisoned diagram files that execute arbitrary scripts when opened by a user.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in draw.io's Text Format panel feature-detection code, which retrieves raw cell label content and assigns it directly to a detached DOM element's innerHTML property without sanitization. A specially crafted cell label containing img elements with onerror handlers—e.g., <img src=x onerror="malicious_code()"—bypasses the application's normal label sanitizer because the code path diverges from the standard rendering pipeline. Browsers fire onerror events even for image load failures on detached elements. When a user opens a malicious .drawio file, import triggers automatic cell selection, firing the onerror event and executing the embedded payload in the origin of the editor application. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, or Cross-site Scripting).

Business impact

A compromised or malicious diagram file can execute code within the draw.io editor's security context, potentially allowing an attacker to steal session tokens, modify diagrams, exfiltrate sensitive information displayed in open diagrams, or pivot to other web applications sharing the same origin. Organizations using draw.io for collaborative technical or business documentation workflows face data confidentiality and integrity risks if users download and open untrusted diagram files. Teams working with externally sourced diagrams or those shared via email or public repositories are most exposed. The risk is heightened in enterprises where diagram files are treated as trusted content despite potential tampering during transit or storage.

Affected systems

draw.io versions prior to 29.7.12 are affected. This includes both the standalone application and any deployment of the draw.io codebase integrated into other platforms. Users running draw.io as a web application, desktop client, or embedded service should verify their version and apply the patch. The vulnerability is triggered on file open, so any user or process that imports a .drawio file is at risk.

Exploitability

Exploitability is straightforward: an attacker crafts a .drawio file containing malicious JavaScript in a cell label and distributes it via email, file sharing, or public repository. When a user opens the file, the payload executes automatically during import without requiring additional interaction beyond the file-open action. No special configuration or unusual browser settings are needed. The CVSS score of 6.1 (MEDIUM) reflects the requirement for user interaction (opening the file) and the limited scope of impact, but the ease of weaponization—diagram files are common business artifacts—warrants serious attention. The vulnerability is not currently known to be exploited in the wild according to available intelligence.

Remediation

Upgrade draw.io to version 29.7.12 or later. This release patches the Text Format panel code to sanitize cell labels before inserting them into the DOM, closing the onerror execution path. No workaround is available for earlier versions other than restricting file imports to trusted, verified sources and avoiding opening .drawio files from untrusted parties. Organizations should audit file-sharing practices and educate users to validate the origin of diagram files before importing.

Patch guidance

Apply version 29.7.12 or any subsequent release. Verify the update through your draw.io deployment channel: if you use the official web application, check that your version number reflects 29.7.12 or later via the About or Help menu. For self-hosted or embedded instances, consult your deployment vendor or the draw.io GitHub repository for the patched source code and rebuild/redeploy accordingly. Test the patched version in a non-production environment first, particularly if draw.io is integrated into a larger platform.

Detection guidance

Monitor for .drawio files opened in your environment, especially from external or untrusted sources. Review web server and application logs for unusual JavaScript execution patterns or errors related to draw.io sessions. Browser-based detection is difficult because the payload executes within the application sandbox, but behavioral monitoring tools can flag unexpected network activity or credential access correlated with draw.io editor sessions. For file-based detection, scan .drawio files (which are XML-based) for img tags containing onerror attributes, particularly those with inline scripts or suspicious function calls. Endpoint detection and response (EDR) tools should monitor for code execution initiated by the draw.io process or browser tab.

Why prioritize this

While the CVSS score is MEDIUM (6.1), the vulnerability merits prompt but measured attention. The attack surface is low—users must open a malicious file—but the likelihood of targeted distribution is moderate given that diagram files are routine business communication artifacts. Organizations should prioritize patching in the following order: (1) environments where users frequently receive diagrams from external parties, (2) instances exposed to the internet, (3) all remaining instances. The lack of KEV (Known Exploited Vulnerability) status and current absence of public exploits reduce the urgency slightly, but patch within 30 days is reasonable.

Risk score, explained

The CVSS 3.1 score of 6.1 / MEDIUM reflects: (i) network attack vector—files can be distributed remotely; (ii) low attack complexity—no special conditions needed; (iii) no privileges required; (iv) required user interaction—file must be opened; (v) changed scope—script executes in the editor's origin and could affect other applications on that origin; (vi) low confidentiality impact—exfiltration of data visible in diagrams or session tokens; (vii) low integrity impact—ability to modify or craft diagrams; (viii) no availability impact. The score does not account for the high ease of crafting malicious payloads or the common role of diagram files in business workflows, so practitioners should consider the practical risk context alongside the score.

Frequently asked questions

Can this vulnerability affect draw.io desktop or offline versions?

Yes. The vulnerability exists in the core application logic, not the server or web container. Desktop versions and offline modes that import .drawio files locally are equally vulnerable. If your deployment includes standalone desktop clients, ensure those are updated to 29.7.12 or later as well.

If I use draw.io as an embedded library or plugin in another application, am I affected?

Possibly. If the embedding application uses a version of draw.io prior to 29.7.12 and allows users to import .drawio files, the vulnerability is inherited. Work with your application vendor to confirm their draw.io version and deploy patches through your normal update channel. Do not assume the embedding vendor has automatically included the latest draw.io code.

What if I only create diagrams within draw.io and never import files from external sources?

Your risk is lower but not zero. Internal users could accidentally import a malicious diagram, or an attacker with network access could attempt to inject a crafted file into your workflow. Patching removes the vulnerability entirely rather than relying on user behavior or network controls.

Does the patch break backward compatibility or require data migration?

No. The patch only changes how cell labels are sanitized before insertion into the DOM; it does not alter the file format, data storage, or normal diagram functionality. Existing .drawio files will open and function normally in the patched version.

This analysis is provided for informational purposes and does not constitute legal or professional advice. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Organizations should conduct their own risk assessments and validate all technical details against vendor advisories and their specific environments. CVSS scores, patch version numbers, and affected product lists are sourced from official CVE and vendor data and should be verified independently. No liability is assumed for actions taken or omitted based on this content. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).