Description
Versions of diagram-js prior to 3.3.1 (for 3.x) and 2.6.2 (for 2.x) are vulnerable to Cross-Site Scripting. The package fails to escape output of user-controlled input in search-pad, allowing attackers to execute arbitrary JavaScript.
Recommendation
Update the diagram-js package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0, < 3.3.1 < 2.6.2** Patched version(s): **3.3.1 2.6.2**
References
Related Issues
- Cross-Site Scripting in buefy - Vulnerability
- html2pdf.js contains a cross-site scripting vulnerability - CVE-2026-22787
- CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package - CVE-2025-58064
- QMarkdown Cross-Site Scripting (XSS) vulnerability - CVE-2025-43954
You might also like:
- Tags:
- npm
- diagram-js
Anything's wrong? Let us know Last updated on October 03, 2023