Home > Vulnerability Database > CVE-2026-0858

Mend.io Vulnerability Database

CVE-2026-0858

Good to know:

Date: January 16, 2026

Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.

Severity Score

4.7

Related Resources (5)

Url: https://github.com/plantuml/plantuml/releases/tag/v1.2026.0

Url: https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd

Url: https://github.com/plantuml/plantuml

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-0858

Url: https://www.mend.io/vulnerability-database/CVE-2026-0858

Severity Score

4.7

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version net.sourceforge.plantuml:plantuml:1.2026.0;https://github.com/plantuml/plantuml.git - v1.2026.0

Learn More

CVSS v3.1

Base Score:	4.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-0858

Good to know:

Date: January 16, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?