MEDIUM
jgraph
CVE published 2026-06-10
CVE-2026-46642
CVE-2026-46642 is a vulnerability in draw.io, a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw c [truncated]