Main Vulnerability Database Vulnerabilities #VU127461

Cross-site scripting in mermaid - CVE-2021-43861

Published: December 29, 2021 / Updated: April 24, 2026

Vulnerability identifier: #VU127461

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2021-43861

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
mermaid

Software vendor:
mermaid-js

Description

The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to cross-site scripting in the diagram rendering functionality when processing malicious diagrams. A remote attacker can supply a specially crafted diagram to execute arbitrary script code in the victim's browser.

User interaction is required to view the crafted diagram.

Remediation

Install security update from vendor's website.

External links

https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v

Cross-site scripting in mermaid - CVE-2021-43861

Description

Remediation

External links

Please verify you're human