net.sourceforge.plantuml:plantuml is vulnerable to cross-site scripting(XSS) attacks. The library allows SVG markup to get inserted directly into the markup of an enclosing SVG, making it possible to inject specifically crafted malicious SVG files and execute dangerous payloads inside the targeted system.
github.com/plantuml/plantuml/blob/v1.2022.3/src/net/sourceforge/plantuml/svg/SvgGraphics.java#L899
github.com/plantuml/plantuml/commit/c9137be051ce98b3e3e27f65f54ec7d9f8886903
huntr.dev/bounties/27db9509-6cd3-4148-8d70-5942f3837604
huntr.dev/bounties/27db9509-6cd3-4148-8d70-5942f3837604/
lists.fedoraproject.org/archives/list/[email protected]/message/EO26WBHQRMWTS44M5VLZJIJZOIGJYL3A/
lists.fedoraproject.org/archives/list/[email protected]/message/FQMHXN5BVBK433C5SVSSBXWB5JLJ7NID/