Source: plantuml Version: 1:1.2020.2+ds-6 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1:1.2020.2+ds-3
Hi, The following vulnerability was published for plantuml. CVE-2026-0858[0]: | Versions of the package net.sourceforge.plantuml:plantuml before | 1.2026.0 are vulnerable to Stored XSS due to insufficient | sanitization of interactive attributes in GraphViz diagrams. As a | result, a crafted PlantUML diagram can inject malicious JavaScript | into generated SVG output, leading to arbitrary script execution in | the context of applications that render the SVG. While we have a quite older version in Debian, the Diagram exporter might drop the ability to export SVG. The cod ehas moved, but is there in earlier revision. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-0858 https://www.cve.org/CVERecord?id=CVE-2026-0858 [1] https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd Regards, Salvatore
