Security Advisories

This page lists all the security vulnerabilities fixed in released versions of the PlantUML for Confluence app. 

If you have encountered an unlisted security vulnerability or other unexpected behavior that has security impact, please report them privately to the PlantUML Developer Team. Thank you.


Critical vulnerability in Apache Log4j (Log4Shell, CVE-2021-44228, CVE-2021-45046)

The PlantUML for Confluence app was not affected by the Log4Shell vulnerability and

The plugin is not using log4j2 for logging nor it bundles the log4j library.

Critical vulnerability in Spring Framework (Spring4Shell, CVE-2022-22965)
The PlantUML for Confluence app use the spring components provided by Confluence and may be affected by if your Confluence instance itself meets the criteria outlined by Atlassian in You should follow the guide provided by Atlassian to check and fix your Confluence Server, a separate action for our apps is not needed


The PlantUML for Confluence app is using the following third party components:

  • org.apache.xmlgraphics:batik-constants

  • org.apache.xmlgraphics:batik-svggen

  • org.jsoup:jsoup

  • net.sourceforge.plantuml:plantuml


  • org.apache.xmlgraphics:batik-util

  • org.apache.xmlgraphics:batik-i18n

  • org.scilab.forge:jlatexmath

  • org.apache.xmlgraphics:batik-awt-util

The Maven POM lists the detailed versions of the third party components.

The native graphviz package is not bundled by this app.

Security Vulnerabilities