We only accept security reports against the latest version in this repo, or the version currently deployed to app.diagrams.net if it differs.

We do not backport fixes to older versions. If you self-host draw.io, please keep your deployment up to date with the latest release.

Please report security vulnerabilities privately through GitHub. Go to the Security tab of this repository and click Report a vulnerability, or use this direct link:

https://github.com/jgraph/drawio/security/advisories/new

Please do not open a public issue, pull request or discussion for a security vulnerability.

To help us triage quickly, include where you can:

• A description of the vulnerability and its potential impact.
• The version, or the URL, where you observed it.
• Step-by-step instructions to reproduce it, ideally with a minimal proof of concept.
• Any relevant logs, screenshots or sample diagram files.

• We will acknowledge your report as soon as we can and keep you updated as we investigate.
• We ask that you give us a reasonable amount of time to release a fix before any public disclosure.
• We are happy to credit you in the advisory once the issue is resolved, unless you would prefer to remain anonymous.

• Issues relating to the PlantUML integration.
• Issues relating to the www.drawio.com web site.