diagrams CVE Vulnerabilities & Metrics

Focus on diagrams vulnerabilities and metrics.

Last updated: 16 Jun 2026, 22:25 UTC

About diagrams Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with diagrams. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total diagrams CVEs: 27
Earliest CVE date: 05 May 2022, 12:15 UTC
Latest CVE date: 10 Jun 2026, 18:17 UTC

Latest CVE reference: CVE-2026-46642

Rolling Stats

30-day Count (Rolling): 1
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical diagrams CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.48

Max CVSS: 6.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	17
4.0-6.9	10
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS diagrams CVEs

These are the five CVEs with the highest CVSS scores for diagrams, sorted by severity first and recency.

CVE-2022-1727 diagrams Published on 18 May 2022, 14:15 UTC (CVSS: 6.8)
Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6.
CVE-2022-1575 diagrams Published on 05 May 2022, 12:15 UTC (CVSS: 6.8)
Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.
CVE-2022-1774 diagrams Published on 18 May 2022, 21:15 UTC (CVSS: 5.8)
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7.
CVE-2022-1815 diagrams Published on 25 May 2022, 09:15 UTC (CVSS: 5.0)
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.
CVE-2022-1784 diagrams Published on 20 May 2022, 13:15 UTC (CVSS: 5.0)
Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8.

All CVEs for diagrams

CVE-2026-46642 diagrams vulnerability CVSS: 0 10 Jun 2026, 18:17 UTC

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected — which import does automatically. This issue has been patched in version 29.7.12.

CVE-2023-3975 diagrams vulnerability CVSS: 0 27 Jul 2023, 15:15 UTC

OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.

CVE-2023-3974 diagrams vulnerability CVSS: 0 27 Jul 2023, 15:15 UTC

OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.

CVE-2023-3973 diagrams vulnerability CVSS: 0 27 Jul 2023, 15:15 UTC

Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.

CVE-2023-3398 diagrams vulnerability CVSS: 0 26 Jun 2023, 11:15 UTC

Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.

CVE-2023-3026 diagrams vulnerability CVSS: 0 01 Jun 2023, 01:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 21.2.8.

CVE-2022-3873 diagrams vulnerability CVSS: 0 07 Nov 2022, 11:15 UTC

Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio prior to 20.5.2.

CVE-2022-3223 diagrams vulnerability CVSS: 0 16 Sep 2022, 11:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.3.1.

CVE-2022-3133 diagrams vulnerability CVSS: 0 09 Sep 2022, 18:15 UTC

OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.

CVE-2022-3148 diagrams vulnerability CVSS: 0 08 Sep 2022, 10:15 UTC

Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.

CVE-2022-3138 diagrams vulnerability CVSS: 0 08 Sep 2022, 10:15 UTC

Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.

CVE-2022-3127 diagrams vulnerability CVSS: 0 05 Sep 2022, 13:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 20.2.8.

CVE-2022-3065 diagrams vulnerability CVSS: 0 02 Sep 2022, 19:15 UTC

Improper Access Control in GitHub repository jgraph/drawio prior to 20.2.8.

CVE-2022-2015 diagrams vulnerability CVSS: 3.5 09 Jun 2022, 17:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 19.0.2.

CVE-2022-2014 diagrams vulnerability CVSS: 3.5 09 Jun 2022, 17:15 UTC

Code Injection in GitHub repository jgraph/drawio prior to 19.0.2.

CVE-2022-1815 diagrams vulnerability CVSS: 5.0 25 May 2022, 09:15 UTC

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.1.2.

CVE-2022-1784 diagrams vulnerability CVSS: 5.0 20 May 2022, 13:15 UTC

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.8.

CVE-2022-1730 diagrams vulnerability CVSS: 3.5 19 May 2022, 14:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4.

CVE-2022-1774 diagrams vulnerability CVSS: 5.8 18 May 2022, 21:15 UTC

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository jgraph/drawio prior to 18.0.7.

CVE-2022-1767 diagrams vulnerability CVSS: 5.0 18 May 2022, 16:15 UTC

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.7.

CVE-2022-1727 diagrams vulnerability CVSS: 6.8 18 May 2022, 14:15 UTC

Improper Input Validation in GitHub repository jgraph/drawio prior to 18.0.6.

CVE-2022-1711 diagrams vulnerability CVSS: 5.0 17 May 2022, 13:15 UTC

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.5.

CVE-2022-1723 diagrams vulnerability CVSS: 5.0 17 May 2022, 09:15 UTC

Server-Side Request Forgery (SSRF) in GitHub repository jgraph/drawio prior to 18.0.6.

CVE-2022-1722 diagrams vulnerability CVSS: 2.1 16 May 2022, 15:15 UTC

SSRF in editor's proxy via IPv6 link-local address in GitHub repository jgraph/drawio prior to 18.0.5. SSRF to internal link-local IPv6 addresses

CVE-2022-1721 diagrams vulnerability CVSS: 5.0 16 May 2022, 15:15 UTC

Path Traversal in WellKnownServlet in GitHub repository jgraph/drawio prior to 18.0.5. Read local files of the web application.

CVE-2022-1713 diagrams vulnerability CVSS: 5.0 16 May 2022, 15:15 UTC

SSRF on /proxy in GitHub repository jgraph/drawio prior to 18.0.4. An attacker can make a request as the server and read its contents. This can lead to a leak of sensitive information.

CVE-2022-1575 diagrams vulnerability CVSS: 6.8 05 May 2022, 12:15 UTC

Arbitrary Code Execution through Sanitizer Bypass in GitHub repository jgraph/drawio prior to 18.0.0. - Arbitrary (remote) code execution in the desktop app. - Stored XSS in the web app.