CVE-2026-0858 is a stored cross-site scripting (XSS) vulnerability identified in the PlantUML package (net.sourceforge.plantuml:plantuml) prior to version 1.2026.0. PlantUML is a popular tool used to generate diagrams from plain text descriptions, often leveraging GraphViz for layout and SVG for output. The vulnerability stems from inadequate sanitization of interactive attributes within GraphViz diagrams embedded in PlantUML files. Specifically, crafted PlantUML diagrams can include malicious JavaScript payloads within SVG outputs. When these SVGs are rendered by applications or web interfaces that incorporate PlantUML-generated diagrams, the embedded scripts execute in the user’s browser context. This can lead to arbitrary script execution, enabling attackers to perform actions such as stealing cookies, session tokens, or performing actions on behalf of the user. The CVSS 4.0 score is 5.1 (medium severity), reflecting network attack vector, low complexity, no privileges required, but requiring user interaction and limited impact on integrity. The vulnerability does not require authentication, increasing its risk in environments where untrusted users can submit PlantUML diagrams or where diagrams are shared externally. No public exploits have been reported yet, but the potential for abuse exists especially in collaborative or documentation-heavy environments. The vulnerability was published on January 16, 2026, and users are advised to upgrade to version 1.2026.0 or later where the issue is addressed.

For European organizations, the impact of CVE-2026-0858 can be significant in environments where PlantUML is used for generating and sharing diagrams, such as software development teams, technical documentation, and collaborative platforms. Exploitation could lead to unauthorized script execution in users’ browsers, resulting in session hijacking, data leakage, or unauthorized actions within web applications that render these SVGs. This risk is heightened in organizations that allow external contributors to submit PlantUML diagrams or where diagrams are embedded in internal portals accessible by multiple users. Confidentiality could be compromised if sensitive session tokens or credentials are stolen. Integrity of user sessions and availability of services could also be indirectly affected if attackers leverage the XSS to perform further attacks such as phishing or malware delivery. Although no known exploits exist currently, the medium severity score and ease of exploitation without authentication mean that organizations should act proactively to prevent potential attacks. The vulnerability could also undermine trust in documentation and collaboration tools if exploited.

European organizations should immediately upgrade PlantUML to version 1.2026.0 or later, where the vulnerability is fixed. Until upgrades are fully deployed, organizations should implement strict input validation and sanitization on any user-submitted PlantUML diagrams, especially those that generate SVG outputs. Restrict diagram submission privileges to trusted users only and avoid rendering untrusted diagrams in web contexts without proper sandboxing. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of potential XSS payloads. Additionally, monitor logs and user reports for unusual behavior related to diagram rendering. Educate users about the risks of interacting with untrusted diagrams and encourage reporting of suspicious content. For web applications embedding PlantUML-generated SVGs, consider rendering diagrams server-side to static images or using safer output formats until the vulnerability is fully mitigated. Regularly review and update security policies related to third-party tools and diagram sharing platforms.