Infinite loop in mermaid - CVE-2026-41150
Published: May 12, 2026
Vulnerability identifier: #VU131136
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-41150
CWE-ID: CWE-835
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
mermaid
mermaid
Software vendor:
mermaid-js
mermaid-js
Description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to loop with an unreachable exit condition in gantt chart rendering when rendering gantt charts with the excludes attribute configured to exclude all dates. A remote attacker can supply a specially crafted gantt chart definition to cause a denial of service.
mermaid.parse alone is unaffected unless ganttDb.getTasks() is called, such as during diagram rendering.
Remediation
Install security update from vendor's website.