CVE-2023-26140

Name of the Vulnerable Software and Affected Versions @excalidraw/excalidraw versions 0.0.0 through 0.15.2

Description The issue is related to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization. This allows a remote attacker to conduct an XSS attack using a specially crafted link. The vulnerability affects users of the npm package @excalidraw/excalidraw, particularly in environments where untrusted user input in drawings is shared with third parties.

Recommendations For versions prior to 0.15.3, update to version 0.15.3 or later to resolve the issue. For users who cannot update immediately, consider deploying the package in environments without untrusted user input to minimize the impact. As a temporary workaround, consider restricting the sharing of drawings that contain untrusted user input until a patch is applied.