What is CVE-2026-40608?

CVE-2026-40608 is a medium-severity vulnerability in Dayuanjiang Next-ai-draw-io, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 6.2/10. Published 2026-04-21.

How severe is CVE-2026-40608?

Medium severity. CVSS v3 base score is 6.2 out of 10.

Resource exhaustion in Dayuanjiang Next-ai-draw-io

CVE-2026-40608

Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, and /api/history-svg) that process incom…

EPSS: 0.000 (4.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.2 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Dayuanjiang Next-ai-draw-io — versions < 0.4.15

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

References

https://github.com/DayuanJiang/next-ai-draw-io/security/advisories/GHSA-9q7h-wgfw-p378 (x_refsource_CONFIRM)
https://github.com/DayuanJiang/next-ai-draw-io/commit/31819f413cc4b329a1cb81e5fccd0cd98c1fd665 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-40608?: CVE-2026-40608 is a medium-severity vulnerability in Dayuanjiang Next-ai-draw-io, classified under Allocation of Resources Without Limits or Throttling. CVSS score: 6.2/10. Published 2026-04-21.
How severe is CVE-2026-40608?: Medium severity. CVSS v3 base score is 6.2 out of 10.