2 matches found
CVE-2025-54880
CVE-2025-54880 affects mermaid up to version 11.9.0 where user-provided input for architecture diagrams is passed to d3.html(), creating a cross-site scripting sink. The CVE description notes the issue is fixed in 11.10.0. Connected GHSA advisory for Gogs highlights stored XSS via mermaid diagram...
CVE-2025-54880 Mermaid does not properly sanitize architecture diagram iconText leading to XSS
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html...