CVE-2026-0858: PlantUML is vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams

January 16, 2026

Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.

References

github.com/advisories/GHSA-hrvf-g648-rf3m
github.com/plantuml/plantuml
github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd
github.com/plantuml/plantuml/releases/tag/v1.2026.0
nvd.nist.gov/vuln/detail/CVE-2026-0858
security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230

Code Behaviors & Features

Detect and mitigate CVE-2026-0858 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →