CVE-2026-0858 – This stored cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2026-0858?

CVE-2026-0858 has a CVSS score of 6.1 (MEDIUM). This stored cross-site scripting (XSS) vulnerability in PlantUML allows attackers to inject malicious JavaScript into SVG diagrams. When applications render these compromised SVGs, arbitrary script execution occurs in the victim's browser context. Any application using vulnerable PlantUML versions to generate or display diagrams is affected.

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in PlantUML allows attackers to inject malicious JavaScript into SVG diagrams. When applications render these compromised SVGs, arbitrary script execution occurs in the victim's browser context. Any application using vulnerable PlantUML versions to generate or display diagrams is affected.

💻 Affected Systems

Products:

PlantUML
Applications using PlantUML library

Versions: All versions before 1.2026.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the GraphViz diagram processing component; affects both server-side generation and client-side rendering scenarios.

📦 What is this software?

Plantuml by Plantuml

View all CVEs affecting Plantuml →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user sessions, credential theft, and unauthorized actions performed on behalf of authenticated users when malicious diagrams are viewed.

🟠

Likely Case

Session hijacking, data exfiltration, and defacement of applications displaying user-generated PlantUML diagrams.

🟢

If Mitigated

Limited impact with proper content security policies and input validation, though XSS payloads could still execute in some contexts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to create or modify PlantUML diagrams; no authentication needed to craft malicious payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2026.0

Vendor Advisory: https://github.com/plantuml/plantuml/releases/tag/v1.2026.0

Restart Required: Yes

Instructions:

1. Update PlantUML dependency to version 1.2026.0 or later. 2. Update pom.xml or build.gradle to use fixed version. 3. Rebuild and redeploy applications. 4. Restart any services using PlantUML.

🔧 Temporary Workarounds

Input Sanitization

all

Implement server-side sanitization of PlantUML diagram content before processing

Content Security Policy

all

Implement strict CSP headers to prevent script execution from SVG content

🧯 If You Can't Patch

Disable interactive attributes in GraphViz diagram processing
Implement output encoding for all SVG content before rendering

🔍 How to Verify

Check if Vulnerable:

Check PlantUML version in dependency files; versions below 1.2026.0 are vulnerable

Check Version:

mvn dependency:tree | grep plantuml OR gradle dependencies | grep plantuml

Verify Fix Applied:

Verify PlantUML version is 1.2026.0 or higher in application dependencies

📡 Detection & Monitoring

Log Indicators:

Unusual SVG generation patterns
Large PlantUML diagram submissions

Network Indicators:

SVG files containing script tags or javascript: URIs

SIEM Query:

source="web_logs" AND (uri="*.svg" OR user_agent="*PlantUML*") AND (content="<script>" OR content="javascript:")

📊 Metadata

CVE ID: CVE-2026-0858

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.9th percentile)

Published: January 16, 2026

Last Updated: February 2, 2026

🔗 References

https://github.com/plantuml/plantuml/commit/6826315db092d2e432aeab1a0894e08017c6e4bd Patch
https://github.com/plantuml/plantuml/releases/tag/v1.2026.0 Release Notes
https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEPLANTUML-14552230 Vendor Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0858, you might also want to check these: