Bounties
Partners
Community
Info
jgraph / drawio
Project repository
draw.io is a JavaScript, client-side editor for general diagramming.
Submit a report
FIRST INTERACTION
WITHIN
1 DAY
REVIEW
WITHIN
1 DAY
FIX
WITHIN
7 DAYS
Insufficient checks lead to ability to bypass payment to third-party service Ope...
Oct 1st 2024
radl97
•
Medium
Medium
Overwrite native Mathjax Markdown functions via certain macros
Jul 28th 2023
pihunter50-test
•
informative
None
XSS with CSP bypass leads to diagrams backdoor
Jul 27th 2023
kevin-mizu
•
Critical
•
$3000
Critical
•
$3000
•
CVE-2023-3973
CVE-2023-3973
HTML Injection via PlantUML (text) feature
Jul 13th 2023
chb9
•
informative
None
Open Redirect via deskDomain
Jul 5th 2023
p0cas
•
None
None
Desktop APP XSS to RCE
Jul 27th 2023
kevin-mizu
•
High
•
$1500
High
•
$1500
•
CVE-2023-3975
CVE-2023-3975
SSRF through insecure PlantUML configuration
Jun 14th 2023
zeyu2001
•
informative
High
Desktop APP RCE via saveDraft IPC
Jul 27th 2023
kevin-mizu
•
Critical
•
$3000
Critical
•
$3000
•
CVE-2023-3974
CVE-2023-3974
Insecure Direct Object Reference (IDOR) Vulnerability & Cross-Site Scripting (XS...
Jun 6th 2023
ellord0xd
•
spam
Lack of Input Validation
Jun 6th 2023
ellord0xd
•
not applicable
Inadequate Error Handling
Jun 6th 2023
ellord0xd
•
not applicable
Directory Traversal
Jun 6th 2023
ellord0xd
•
not applicable
Cross-site Scripting in Preview function bypass CSP
Jun 1st 2023
nhienit2010
•
Medium
•
$300
Medium
•
$300
Cross-site Scripting and CSP Bypass in app.diagrams.net
Jun 1st 2023
nhienit2010
•
Medium
•
$300
Medium
•
$300
•
CVE-2023-3026
CVE-2023-3026
AWS credentials exposure
Mar 30th 2023
omareltf
•
None
None
XSS and XXE due to .svg file is imported from unclaimed s3 bucket inside <img sr...
Mar 21st 2023
gauravbhatia1211
•
informative
Critical
HTML/Link Injection
Feb 20th 2023
dev696
•
spam
"from Template URL" parameter is vulnerable to external service interaction (SSR...
Feb 10th 2023
earth2sky
•
spam
HTML injection leads to Open Redirect
Feb 6th 2023
cupc4k3
•
spam
Path manipulation
Jan 25th 2023
petasplit
•
spam
Open redirect
Jan 25th 2023
petasplit
•
spam
Privacy violation
Jan 25th 2023
petasplit
•
spam
Command injection
Jan 25th 2023
petasplit
•
spam
stored xss in diagrams element
Nov 20th 2022
osama-shift
•
spam
XSS and CSP bypass in app.diagrams.net
Nov 5th 2022
joaovitormaia
•
Medium
•
$300
Medium
•
$300
•
CVE-2022-3873
CVE-2022-3873
Uncontrolled recursion via redirecting the /proxy to call /embed2.js
Oct 24th 2022
haxatron
•
informative
High
app.diagrams.net allows redirection to arbitrary URLs
Oct 21st 2022
mqsecx2
•
not applicable
Denial of Service in proxy by redirecting to own host
Oct 21st 2022
myyxl
•
High
•
$900
High
•
$900
Cross-site request forgery (CSRF)
Sep 16th 2022
mike993
•
duplicate
Medium
XSS via Mathematical Typesetting
Sep 15th 2022
kevin-mizu
•
Medium
•
$300
Medium
•
$300
•
CVE-2022-3223
CVE-2022-3223
Out-of-band resource load (HTTP) in /proxy endpoint
Sep 11th 2022
anhdq201
•
spam
SSRF via SVG
Sep 11th 2022
mohamedabdelhady933
•
spam
XSS at app.diagrams.net
Sep 7th 2022
joaovitormaia
•
Medium
•
$300
Medium
•
$300
•
CVE-2022-3148
CVE-2022-3148
unpatched vulnerability
Sep 6th 2022
maakthon
•
duplicate
None
XSS at https://viewer.diagrams.net/
Sep 7th 2022
joaovitormaia
•
Medium
•
$360
Medium
•
$360
•
CVE-2022-3138
CVE-2022-3138
XSS with CSP bypass on WEB instances
Sep 5th 2022
kevin-mizu
•
Medium
•
$300
Medium
•
$300
•
CVE-2022-3127
CVE-2022-3127
Desktop APP XSS to RCE
Sep 9th 2022
kevin-mizu
•
High
•
$900
High
•
$900
•
CVE-2022-3133
CVE-2022-3133
Access of Remote Resource without Timeout
Sep 1st 2022
maakthon
•
spam
drawio are vulnerable to a remote authenticated attacker due to Node.js CVE-2022...
Aug 31st 2022
imhunterand
•
spam
No rate limit via proxy url parameter
Sep 1st 2022
maakthon
•
Medium
•
$300
Medium
•
$300
•
CVE-2022-3065
CVE-2022-3065
d3-color Regular Expression Denial of Service (ReDoS)
Aug 24th 2022
mac-lawson
•
spam
ReDoS in isLink Regex
Aug 15th 2022
sim4n6
•
spam
Tabnabbing via window.opener [www.diagrams.net]
Aug 14th 2022
agnihackers
•
spam
Improper Input Validation leads to malicious CSV file download
Jul 4th 2022
kevin-mizu
•
not applicable
Client-side denial of service via CSV import
Jun 29th 2022
vovikhangcdv
•
informative
None
Default 404 Page Leads to Full Path Disclosure
Jun 24th 2022
whokilleddb
•
informative
None
Forward credential header to attacker host
Jun 15th 2022
am0o0
•
Medium
•
$300
Medium
•
$300
Client-Side RCE and Stored XSS via Unsafe Deserialization of Diagrams
Jun 7th 2022
7085
•
Critical
•
$2000
Critical
•
$2000
•
CVE-2022-2014
CVE-2022-2014
Stored XSS via Deserialization of Stylesheets
Jun 7th 2022
7085
•
Medium
•
$300
Medium
•
$300
•
CVE-2022-2015
CVE-2022-2015
The drawio app allows large characters to insert in the input field "Edit Data"...
Jun 6th 2022
akshayravic09yc47
•
not applicable
proxying Big files leads to potential DOS [/proxy]
May 26th 2022
am0o0
•
Medium
•
$300
Medium
•
$300
proxying Big files leads to potential DOS
May 26th 2022
am0o0
•
Medium
•
$300
Medium
•
$300
•
CVE-2023-3398
CVE-2023-3398
Insufficient restriction of rendered UI layers or frames leading to clickjacking...
May 23rd 2022
deleterepo
•
informative
Medium
SSRF in /service endpoint
May 24th 2022
am0o0
•
Medium
•
$300
Medium
•
$300
•
CVE-2022-1815
CVE-2022-1815
Denial of Service on embed2 servlet
May 20th 2022
joaovitormaia
•
High
•
$900
High
•
$900
Arbitrary Code Execution - Add External Plugins
May 19th 2022
ninj4c0d3r
•
informative
High
SSRF in Upload URL Parameter
May 18th 2022
vishalvishw10
•
informative
None
Exif Data Exposure
May 18th 2022
gaurav-g2
•
informative
None
Private IP addresses disclosed
May 18th 2022
nilabhrajpoot
•
not applicable
SSRF in embed2 servlet via redirects
May 19th 2022
haxatron
•
High
•
$900
High
•
$900
•
CVE-2022-1784
CVE-2022-1784
Bypass SSRF protection with 307 redirection
May 17th 2022
am0o0
•
duplicate
Critical
Full read Server Side Request Forgery via Dns rebinding attack
May 19th 2022
daman-preet-singh
•
not applicable
Regex check failed leads to CORS bypass
May 17th 2022
nhiephon
•
Low
Low
Stored XSS on drawio
May 18th 2022
joaovitormaia
•
Medium
•
$300
Medium
•
$300
•
CVE-2022-1730
CVE-2022-1730
SSRF via IPv6 address 2
May 16th 2022
haxatron
•
None
None
Server Side Request Forgery via location header
May 18th 2022
myyxl
•
High
•
$900
High
•
$900
•
CVE-2022-1767
CVE-2022-1767
Path Traversal in WellKnownServlet
May 15th 2022
7085
•
High
•
$900
High
•
$900
•
CVE-2022-1721
CVE-2022-1721
Bypass /proxy SSRF protection
May 18th 2022
am0o0
•
self closed
Leakage of third-party OAuth token via redirect
May 18th 2022
caioluders
•
High
•
$900
High
•
$900
•
CVE-2022-1774
CVE-2022-1774
Arbitrary Local File Read and SSRF in EmbedServlet2
May 15th 2022
7085
•
duplicate
Critical
Server Side Request Forgery in drawio's 'checkUrlParameter' function
May 18th 2022
michaellrowley
•
informative
None
Local file inclusion
May 16th 2022
0x2374
•
High
•
$900
High
•
$900
•
CVE-2022-1723
CVE-2022-1723
SSRF in editor's proxy via IPv6 link-local address
May 15th 2022
haxatron
•
High
•
$900
High
•
$900
•
CVE-2022-1722
CVE-2022-1722
RCE in the Desktop App because of Unsafe Link Handling
May 18th 2022
7085
•
High
•
$900
High
•
$900
•
CVE-2022-1727
CVE-2022-1727
SSRF on /proxy
May 15th 2022
caioluders
•
High
•
$2000
High
•
$2000
•
CVE-2022-1713
CVE-2022-1713
SSRF via Unvalidated Redirects in ProxyServlet
May 16th 2022
7085
•
High
•
$900
High
•
$900
•
CVE-2022-1711
CVE-2022-1711
Html Injection
May 7th 2022
gaurav-g2
•
Low
•
$300
Low
•
$300
Arbitrary Code Execution through Sanitizer Bypass
May 5th 2022
7085
•
Critical
•
$2000
Critical
•
$2000
•
CVE-2022-1575
CVE-2022-1575
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0
