diff --git a/debian/changelog b/debian/changelog
index 8a2401c..c4a2ae9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+plantuml (1:1.2020.2+ds-3deepin1) unstable; urgency=medium
+
+  * CVE-2026-0858: Fix stored XSS in SVG export for GraphViz diagrams
+
+ -- deepin-ci-robot <packages@deepin.org>  Mon, 27 Apr 2026 14:56:42 +0800
+
 plantuml (1:1.2020.2+ds-3) unstable; urgency=medium
 
   [ Tomas Janousek ]
diff --git a/debian/patches/CVE-2026-0858.patch b/debian/patches/CVE-2026-0858.patch
new file mode 100644
index 0000000..53bc7e9
--- /dev/null
+++ b/debian/patches/CVE-2026-0858.patch
@@ -0,0 +1,30 @@
+Index: github-plantuml-2026-0858/src/net/sourceforge/plantuml/directdot/PSystemDot.java
+===================================================================
+--- github-plantuml-2026-0858.orig/src/net/sourceforge/plantuml/directdot/PSystemDot.java
++++ github-plantuml-2026-0858/src/net/sourceforge/plantuml/directdot/PSystemDot.java
+@@ -8,7 +8,7 @@
+  * 
+  * If you like this project or if you find it useful, you can support us at:
+  * 
+- * http://plantuml.com/patreon (only 1$ per month!)
++ * http://plantuml.com/patreon (only 1$ per month)
+  * http://plantuml.com/paypal
+  * 
+  * This file is part of PlantUML.
+@@ -40,6 +40,7 @@ import java.util.Arrays;
+ 
+ import net.sourceforge.plantuml.AbstractPSystem;
+ import net.sourceforge.plantuml.CounterOutputStream;
++import net.sourceforge.plantuml.FileFormat;
+ import net.sourceforge.plantuml.FileFormatOption;
+ import net.sourceforge.plantuml.StringUtils;
+ import net.sourceforge.plantuml.api.ImageDataSimple;
+@@ -70,6 +71,8 @@ public class PSystemDot extends Abstract
+ 	@Override
+ 	final protected ImageData exportDiagramNow(OutputStream os, int num, FileFormatOption fileFormat, long seed)
+ 			throws IOException {
++		if (fileFormat.getFileFormat() == FileFormat.SVG)
++			return ImageDataSimple.ok();
+ 		final Graphviz graphviz = GraphvizUtils.create(null, data,
+ 				StringUtils.goLowerCase(fileFormat.getFileFormat().name()));
+ 		if (graphviz.getExeState() != ExeState.OK) {
diff --git a/debian/patches/series b/debian/patches/series
index b4b46d1..c1bbd67 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ ditaa/0001-Update-ditaa.patch
 ditaa/0002-Support-SVG-export-in-ditaa.patch
 ditaa/0003-ditaa-Force-String.format-locale-to-fix-decimal-sepa.patch
 ditaa/0004-ditaa-Do-not-fill-dashed-shapes-especially-not-open-.patch
+CVE-2026-0858.patch