Main Vulnerability Database Vulnerabilities #VU131135

Code Injection in mermaid - CVE-2026-41149

Published: May 12, 2026

Vulnerability identifier: #VU131135

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-41149

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
mermaid

Software vendor:
mermaid-js

Description

The vulnerability allows a remote attacker to inject HTML into the DOM.

The vulnerability exists due to improper sanitization in the state diagram classDef handling when rendering user-supplied state diagrams. A remote attacker can supply a specially crafted diagram definition to inject HTML into the DOM.

Under the default configuration, the injected content can escape the SVG context, and user interaction is required.

Remediation

Install security update from vendor's website.

External links

https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr
https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056

Code Injection in mermaid - CVE-2026-41149

Description

Remediation

External links

Please verify you're human