CVE-2026-42140

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

4.4 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram. This issue has been patched in version 2.4.1.

Vulnerability Details

Published Date

May 04, 2026

Last Modified

May 07, 2026

CWE ID

CWE-918

Source

NVD

Vendor

xwiki-contrib

Product

macro-plantuml

External References

https://github.com/xwiki-contrib/macro-plantuml/commit/c8b19bda93058794e04c8862fc7ca85c59b5fe5c
https://github.com/xwiki-contrib/macro-plantuml/security/advisories/GHSA-42fc-7w97-8vrc
https://jira.xwiki.org/browse/PLANTUML-25

CVE-2026-42140

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment