CVE-2026-46642
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
The draw.io application prior to version 29.7.12 contains a vulnerability that allows arbitrary JavaScript execution through a crafted .drawio file. The issue lies in the Text Format panel where the raw cell label is assigned to an element without proper sanitization.
Risk Assessment
Exploitation of this vulnerability could lead to malicious code execution in the user's context, posing a serious threat to the organization's data and system security.
Recommendation
It is recommended to update the draw.io application to version 29.7.12 or later to mitigate this vulnerability.
Original NVD description (English source)
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.

