CSS Injection Vulnerability in Mermaid Diagramming Tool by Mermaid
CVE-2026-41148

5.3MEDIUM

Key Information:

Vendor

Mermaid-js

Status
Mermaid
Vendor
CVE Published:
22 May 2026

What is CVE-2026-41148?

The Mermaid JavaScript tool, designed for creating and modifying diagrams, is susceptible to CSS injection due to improper sanitization of user-controlled input. Affected versions allow an unrestricted regex match that can manipulate class definitions. As a result, malicious input may lead to unintended page modifications, including defacement, user tracking via CSS, and potential data exfiltration through DOM attributes. Users are encouraged to upgrade to versions 10.9.6 or 11.15.0 to secure their applications. Temporary mitigation is possible by configuring security settings to 'sandbox', which secures diagram rendering within a protected iframe.

Affected Version(s)

mermaid >= 11.0.0-alpha.1, < 11.15.0 < 11.0.0-alpha.1, 11.15.0

mermaid < 10.9.6 < 10.9.6

References

https://github.com/mermaid-js/mermaid/security/advisories...
x_refsource_CONFIRM
https://github.com/mermaid-js/mermaid/commit/8fead23c5916...
x_refsource_MISC
https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82...
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.