Main Vulnerability Database Vulnerabilities #VU127459

Cross-site scripting in mermaid - CVE-2022-31108

Published: June 28, 2022 / Updated: April 24, 2026

Vulnerability identifier: #VU127459

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2022-31108

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
mermaid

Software vendor:
mermaid-js

Description

The vulnerability allows a remote attacker to inject arbitrary CSS into the generated graph affecting the container HTML.

The vulnerability exists due to improper neutralization of input in the graph rendering logic when rendering crafted diagram content. A remote attacker can supply crafted content to inject arbitrary CSS into the generated graph affecting the container HTML.

Remediation

Install security update from vendor's website.

External links

https://github.com/mermaid-js/mermaid/security/advisories/GHSA-x3vm-38hw-55wf

Cross-site scripting in mermaid - CVE-2022-31108

Description

Remediation

External links

Please verify you're human