Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1909

NIXPKGS-2026-1909
published 14 hours ago
draw.io: XSS via crafted cell label when opening a .drawio file
Permalink CVE-2026-46642
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 14 hours ago by @LeSuisse Activity log
  • Created suggestion 20 hours ago
  • @LeSuisse ignored
    6 packages
    • pandoc-drawio-filter
    • python313Packages.mkdocs-drawio-file
    • python314Packages.mkdocs-drawio-file
    • vscode-extensions.hediet.vscode-drawio
    • python313Packages.mkdocs-drawio-exporter
    • python314Packages.mkdocs-drawio-exporter
    14 hours ago
  • @LeSuisse accepted 14 hours ago
  • @LeSuisse published on GitHub 14 hours ago
draw.io: XSS via crafted cell label when opening a .drawio file

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.

Affected products

drawio
  • ==< 29.7.12

Matching in nixpkgs

Ignored packages (6)

pkgs.pandoc-drawio-filter

Pandoc filter which converts draw.io diagrams to PDF

  • nixos-unstable 1.1
    • nixpkgs-unstable 1.1
    • nixos-unstable-small 1.1
  • nixos-26.05 1.1
    • nixos-26.05-small 1.1
    • nixpkgs-26.05-darwin 1.1

Package maintainers