Stored XSS in DrawIO for ownCloud <1.0.2 (ownCloud <10.15.3)
CVE-2025-53831 Published on July 6, 2026
DrawIO for ownCloud 10 is vulnerable to Stored XSS
DrawIO for ownCloud is an application for using DrawIO with the file storage, synchronization, and sharing application ownCloud Classic. In DrawIO for ownCloud prior to version 1.0.2, which corresponds to ownCloud 10 prior to version 10.15.3, attackers with access to the DrawIO app can leverage improper neutralization of input during web page generation to achieve stored XSS. Upgrade ownCloud 10 to version 10.15.3 or later or upgrade DrawIO for ownCloud 10 to version 1.0.2 or later to receive a patch.
Vulnerability Analysis
CVE-2025-53831 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2025-53831 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2025-53831
Want to know whenever a new CVE is published for ownCloud? stack.watch will email you.
Affected Versions
DrawIO for ownCloud:- Version < 1.0.2 is affected.
- Version < 10.15.3 is affected.