draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.
CVE-2026-46642
This medium-severity CVE scores 6.1 under a secondary CVSS source (NVD's own analysis pending). EPSS exploit probability: 0.2%, top 87% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 6.1
- EG Score
- 6.1(medium)
- EPSS
- 12.6%
- KEV
- Not listed
Published
June 10, 2026
Last Modified
June 16, 2026
Advisory Details (2)
Auto-updated Jun 13, 2026XSS via crafted cell label when opening a .drawio file · Advisory · jgraph/drawio · GitHub
https://github.com/jgraph/drawio/security/advisories/GHSA-fqhg-287p-c6vfv29.7.12
Patch available: jgraph/drawio v29.7.12
https://github.com/jgraph/drawio/releases/tag/v29.7.12Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 14× in last 7d / 66× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-16 00:48 UTCEG score recompute
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-15 01:51 UTCEG score recompute
- 2026-07-13 23:49 UTCEG score recompute
- 2026-07-13 22:30 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-13 00:26 UTCEG score recompute
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 17:45 UTCEG score recompute
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-10 18:48 UTCEG score recompute
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 05:45 UTCEG score recompute
- 2026-07-08 15:16 UTCEPSS rescore
- 2026-07-08 06:45 UTCEG score recompute
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-07 06:04 UTCEG score recompute
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 11:12 UTCEG score recompute
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 11:43 UTCEG score recompute
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-03 08:01 UTCEG score recompute
Show 53 moreShow fewer
- 2026-07-02 06:16 UTCEG score recompute
- 2026-07-01 15:07 UTCEPSS rescore
- 2026-07-01 07:19 UTCEG score recompute
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-30 08:22 UTCEG score recompute
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-29 09:25 UTCEG score recompute
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 10:28 UTCEG score recompute
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 11:13 UTCEG score recompute
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-26 12:15 UTCEG score recompute
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-25 07:06 UTCEG score recompute
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-24 07:58 UTCEG score recompute
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-23 08:30 UTCEG score recompute
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 08:40 UTCEG score recompute
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 08:40 UTCEG score recompute
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-20 09:34 UTCEG score recompute
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-19 19:26 UTCEPSS rescore
- 2026-06-19 10:28 UTCEG score recompute
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 11:11 UTCEG score recompute
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-17 12:13 UTCEG score recompute
- 2026-06-16 17:53 UTCEPSS rescore
- 2026-06-16 13:14 UTCEG score recompute
- 2026-06-15 17:49 UTCEPSS rescore
- 2026-06-15 14:13 UTCEG score recompute
- 2026-06-14 15:11 UTCEG score recompute
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-13 16:14 UTCEG score recompute
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 17:14 UTCEG score recompute
- 2026-06-11 18:18 UTCEG score recompute
- 2026-06-11 14:00 UTCEPSS rescore
- 2026-06-10 19:18 UTCEG score recompute
- 2026-06-10 19:18 UTCNVD updatefirst tracked
Related CVEs(same CWE)
Frequently asked(5)
What is CVE-2026-46642?
When was CVE-2026-46642 disclosed?
Is CVE-2026-46642 actively exploited?
What is the CVSS score of CVE-2026-46642?
How do I remediate CVE-2026-46642?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-46642
Is Your Infrastructure Affected by CVE-2026-46642?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.