HTML Injection Vulnerability in Mermaid JavaScript Diagram Tool
CVE-2026-41149

5.3MEDIUM

Key Information:

Vendor

Mermaid-js

Status
Mermaid
Vendor
CVE Published:
22 May 2026

What is CVE-2026-41149?

Mermaid, a popular JavaScript tool for creating diagrams, is susceptible to HTML injection vulnerabilities under its default configuration in several versions. This flaw allows the manipulation of the DOM through the classDef directive within Mermaid state diagrams, which can potentially escape the SVG context. Although tags are stripped, preventing cross-site scripting (XSS), the vulnerability still poses a risk if left unaddressed. Users are advised to update to the latest versions (10.9.6 or 11.15.0) to mitigate this issue. For those unable to upgrade immediately, employing a workaround by setting 'securityLevel' to 'sandbox' can help secure the mermaid diagrams by rendering them in a sandboxed .

Affected Version(s)

mermaid >= 11.0.0-alpha.1, < 11.15.0 < 11.0.0-alpha.1, 11.15.0

mermaid < 10.9.6 < 10.9.6

References

https://github.com/mermaid-js/mermaid/security/advisories...
x_refsource_CONFIRM
https://github.com/mermaid-js/mermaid/commit/37ff937f1da2...
x_refsource_MISC
https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf...
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.