PatchSiren cyber security CVE debrief
CVE-2026-46642 jgraph CVE debrief
CVE-2026-46642 is a vulnerability in draw.io, a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically.
- Vendor
- jgraph
- Product
- drawio
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of draw.io, particularly those who open .drawio files from untrusted sources, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists in a feature-detection routine in the Text Format panel of draw.io. When a .drawio file with a crafted cell label is opened, the raw cell label is assigned to a detached element's innerHTML without sanitization. This allows an attacker to execute arbitrary JavaScript in the editor's origin.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 29.7.12 or later
- Be cautious when opening .drawio files from untrusted sources
Evidence notes
CVE-2026-46642 has a CVSS score of 6.1 and is classified as MEDIUM severity. The vulnerability was published on 2026-06-10T18:17:06.007Z and modified on 2026-06-11T14:16:28.880Z.
Official resources
CVE-2026-46642 was published on 2026-06-10T18:17:06.007Z and modified on 2026-06-11T14:16:28.880Z.