SB2022062843 - Cross-site scripting in mermaid



SB2022062843 - Cross-site scripting in mermaid

Published: June 28, 2022 Updated: April 24, 2026

Security Bulletin ID SB2022062843
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Cross-site scripting (CVE-ID: CVE-2022-31108)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject arbitrary CSS into the generated graph affecting the container HTML.

The vulnerability exists due to improper neutralization of input in the graph rendering logic when rendering crafted diagram content. A remote attacker can supply crafted content to inject arbitrary CSS into the generated graph affecting the container HTML.


Remediation

Install update from vendor's website.