Code Injection in mermaid - CVE-2026-41149

 

Code Injection in mermaid - CVE-2026-41149

Published: May 12, 2026


Vulnerability identifier: #VU131135
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-41149
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: mermaid-js
Affected software:
mermaid

Detailed vulnerability description

The vulnerability allows a remote attacker to inject HTML into the DOM.

The vulnerability exists due to improper sanitization in the state diagram classDef handling when rendering user-supplied state diagrams. A remote attacker can supply a specially crafted diagram definition to inject HTML into the DOM.

Under the default configuration, the injected content can escape the SVG context, and user interaction is required.


How to mitigate CVE-2026-41149

Install security update from vendor's website.

Sources