SB2026051244 - Multiple vulnerabilities in mermaid
Published: May 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Code Injection (CVE-ID: CVE-2026-41159)
The vulnerability allows a remote attacker to inject CSS and modify page content outside of the Mermaid diagram.
The vulnerability exists due to improper neutralization of special elements in configuration options in Mermaid configuration handling when processing user-supplied diagram initialization settings. A remote attacker can supply crafted fontFamily, themeCSS, or altFontFamily values to inject CSS and modify page content outside of the Mermaid diagram.
User interaction is required to load or render a crafted diagram.
2) Code Injection (CVE-ID: CVE-2026-41149)
The vulnerability allows a remote attacker to inject HTML into the DOM.
The vulnerability exists due to improper sanitization in the state diagram classDef handling when rendering user-supplied state diagrams. A remote attacker can supply a specially crafted diagram definition to inject HTML into the DOM.
Under the default configuration, the injected content can escape the SVG context, and user interaction is required.
3) Infinite loop (CVE-ID: CVE-2026-41150)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to loop with an unreachable exit condition in gantt chart rendering when rendering gantt charts with the excludes attribute configured to exclude all dates. A remote attacker can supply a specially crafted gantt chart definition to cause a denial of service.
mermaid.parse alone is unaffected unless ganttDb.getTasks() is called, such as during diagram rendering.
4) Code Injection (CVE-ID: CVE-2026-41148)
The vulnerability allows a remote attacker to inject arbitrary CSS into the page.
The vulnerability exists due to improper neutralization of special elements in createCssStyles when processing user-controlled classDef style strings in diagrams. A remote attacker can supply a specially crafted diagram definition to inject arbitrary CSS into the page.
User interaction is required to render a crafted diagram.
Remediation
Install update from vendor's website.
References
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p
- https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr
- https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh
- https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r
- https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f