CVE-2026-40608

Name of the Vulnerable Software and Affected Versions Next AI Draw.io versions prior to 0.4.15

Description The embedded HTTP sidecar contains three POST handlers, ''/api/state'', ''/api/restore'', and ''/api/history-svg'', which process incoming requests by accumulating the entire request body into a JavaScript string without size limitations. Because Node.js buffers the entire payload in the V8 heap, sending a sufficiently large body can exhaust the process heap memory, resulting in an Out-of-Memory (OOM) error that crashes the MCP server.

Recommendations Update to version 0.4.15.