Graphviz
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Graphviz.
By the Year
In 2025 there have been 0 vulnerabilities in Graphviz. Last year, in 2024 Graphviz had 1 security vulnerability published. Right now, Graphviz is on track to have less security vulnerabilities in 2025 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 0 | 0.00 |
| 2024 | 1 | 7.80 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 7.80 |
| 2020 | 0 | 0.00 |
| 2019 | 2 | 7.65 |
| 2018 | 1 | 5.50 |
It may take a day or so for new Graphviz vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Graphviz Security Vulnerabilities
Graphviz 2.36.0 through 9.x before 10.0.1 has an out-of-bounds read via a crafted config6a file
CVE-2023-46045
7.8 - High
- February 02, 2024
Graphviz 2.36.0 through 9.x before 10.0.1 has an out-of-bounds read via a crafted config6a file. NOTE: exploitability may be uncommon because this file is typically owned by root.
Out-of-bounds Read
Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier
CVE-2020-18032
7.8 - High
- April 29, 2021
Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the "lib/common/shapes.c" component.
Classic Buffer Overflow
The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference
CVE-2019-11023
8.8 - High
- April 08, 2019
The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39.20160612.1140 has a NULL pointer dereference, as demonstrated by graphml2gv.
NULL Pointer Dereference
An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1
CVE-2019-9904
6.5 - Medium
- March 21, 2019
An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2.40.1. Stack consumption occurs because of recursive agclose calls in lib\cgraph\graph.c in libcgraph.a, related to agfstsubg in lib\cgraph\subg.c.
Stack Exhaustion
NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1
CVE-2018-10196
5.5 - Medium
- May 30, 2018
NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote attackers to cause a denial of service (application crash) via a crafted file.
NULL Pointer Dereference
Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz
CVE-2014-9157
- December 03, 2014
Format string vulnerability in the yyerror function in lib/cgraph/scan.l in Graphviz allows remote attackers to have unspecified impact via format string specifiers in unknown vectors, which are not properly handled in an error string.
Use of Externally-Controlled Format String
