CVE-2026-42140
Published:May 04, 2026
Updated:June 25, 2026
PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram. This issue has been patched in version 2.4.1.
Affected Packages
https://github.com/xwiki-contrib/macro-plantuml.git (GITHUB):
Affected version(s) >=macro-plantuml-1.0 <macro-plantuml-2.4.1Fix Suggestion:
Update to version macro-plantuml-2.4.1org.xwiki.contrib.plantuml:macro-plantuml-macro (JAVA):
Affected version(s) >=2.0 <2.4.1Fix Suggestion:
Update to version 2.4.1Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
2.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Server-Side Request Forgery (SSRF)
EPSS
Base Score:
0.15