CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 3 days ago•4 views

Malicious code in mermaid-v11 (npm)

5.6AI score

RedhatCVE•added 6 days ago•4 views

CVE-2026-41150

A flaw was found in Mermaid, a JavaScript tool used for creating diagrams and charts. This vulnerability allows a remote attacker to trigger a denial-of-service DoS condition. The attack occurs when a specially crafted gantt chart, which uses the excludes attribute to exclude all dates, is...

6.5CVSS5.1AI score0.00055EPSS

Exploits0References8

RedhatCVE•added 6 days ago•4 views

CVE-2026-41159

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration...

5.3CVSS5.5AI score0.00057EPSS

RedhatCVE•added 6 days ago•9 views

CVE-2026-11455

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. Affected by this issue is the function checkcmdexists of the file metagpt/utils/common.py. This manipulation of the argument mermaid.path causes command injection. The attack may be initiated remotely. A high degree of...

NVD•added 2026/06/07 9:16 a.m.•8 views

CVE-2026-11455

5CVSS0.0108EPSS

CVE•added 2026/06/07 7:0 a.m.•16 views

CVE-2026-11455

Summary: CVE-2026-11455 affects FoundationAgents MetaGPT up to 0.8.2. The vulnerability targets the function check_cmd_exists in metagpt/utils/common.py, where manipulating the mermaid.path argument enables a command injection. The issue potentially allows remote initiation with a high attack com...

ATTACKERKB•added 2026/06/07 7:0 a.m.•9 views

CVE-2026-11455

Exploits0References7Affected Software1

EUVD•added 2026/06/07 7:0 a.m.•9 views

EUVD-2026-34985

Positive Technologies•added 2026/06/07 12:0 a.m.•9 views

PT-2026-47177

Name of the Vulnerable Software and Affected Versions FoundationAgents MetaGPT versions prior to 0.8.3 Description Command injection is possible via the mermaid.path argument in the check cmd exists function located in the metagpt/utils/common.py file. This issue allows a remote attacker to execu...

5CVSS6AI score0.0108EPSS

Exploits0References11

RedhatCVE•added 2026/06/05 7:50 p.m.•5 views

CVE-2026-3254

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox...

3.5CVSS5.5AI score0.00013EPSS

RedhatCVE•added 2026/06/05 7:36 p.m.•6 views

CVE-2026-41149

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state...

5.3CVSS5.5AI score0.00059EPSS

RedhatCVE•added 2026/06/05 7:36 p.m.•8 views

CVE-2026-41148

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and prior, in addition to 11.0.0-alpha.1 through 11.12.0 are vulnerable to CSS injection through improper sanitization. The state diagram and any other diagram type that routes...

5.3CVSS5.3AI score0.00074EPSS

RedhatCVE•added 2026/06/05 7:14 p.m.•6 views

CVE-2026-40322

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to...

9CVSS6.1AI score0.00055EPSS

RedhatCVE•added 2026/06/05 7:13 p.m.•4 views

CVE-2026-40107

SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, tags with src attributes survive Mermaid's internal DOMPurify and land in SVG blocks. The SVG is injected via innerHTML with no secondary...

8.7CVSS5.5AI score0.0006EPSS

Exploits1References1

UbuntuCve•added 2026/06/01 12:0 a.m.•6 views

CVE-2026-41150

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you th...

5.3CVSS5.8AI score0.00055EPSS

Exploits0References8

UbuntuCve•added 2026/06/01 12:0 a.m.•6 views

CVE-2026-41159

5.3CVSS5.8AI score0.00057EPSS

SUSE CVE•added 2026/05/30 2:7 a.m.•8 views

SUSE CVE-2026-41150

5.3CVSS5.8AI score0.00055EPSS

SUSE CVE•added 2026/05/30 2:7 a.m.•10 views

SUSE CVE-2026-41159

5.3CVSS5.8AI score0.00057EPSS

Tenable Nessus•added 2026/05/30 12:0 a.m.•11 views

Linux Distros Unpatched Vulnerability : CVE-2026-41159

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default...

5.3CVSS5.5AI score0.00057EPSS