2 matches found
@8btc/excalidraw (>=0.18.0-beta.0 <=0.18.0-beta.4), @alkemio/excalidraw (>=0.17.1-alkemio-5 <=0.19.0-alkemio-1) +99 more potentially affected by unknown CVE via @excalidraw/mermaid-to-excalidraw (>=0.3.0 <=1.1.2)
@excalidraw/mermaid-to-excalidraw NPM version =0.3.0, =0.18.0-beta.0, =0.17.1-alkemio-5, =1.0.0, =0.18.3, =0.18.0, =0.0.1-BETA, =0.5.0-00d79ee, =0.17.1, =18.0.3, =0.18.0-patch.1, =0.17.1-1d71f84, =0.0.1, =0.0.5 and more Source cves: unknown CVE Source advisory: OSV:GHSA-39H7-PWV7-RC3X...
GHSA-39H7-PWV7-RC3X Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)
Impact @excalidraw/[email protected] depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid’s KaTeX label rendering path. This is patched i...