Code Injection in mermaid - CVE-2026-41159
Published: May 12, 2026
Vulnerability identifier: #VU131134
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-41159
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
mermaid
mermaid
Software vendor:
mermaid-js
mermaid-js
Description
The vulnerability allows a remote attacker to inject CSS and modify page content outside of the Mermaid diagram.
The vulnerability exists due to improper neutralization of special elements in configuration options in Mermaid configuration handling when processing user-supplied diagram initialization settings. A remote attacker can supply crafted fontFamily, themeCSS, or altFontFamily values to inject CSS and modify page content outside of the Mermaid diagram.
User interaction is required to load or render a crafted diagram.
Remediation
Install security update from vendor's website.