CVE-2026-41149

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state...

CVE-2026-41149

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state...

CVE-2026-41149

CVE-2026-41149 affects Mermaid state diagrams via improper sanitization of the classDef directive, allowing DOM injection that can escape the SVG context. Concrete details: vulnerable in Mermaid versions ≤10.9.5 and 11.0.0-alpha.1–11.14.0; fixed in 10.9.6 and 11.15.0. The issue is mitigated by st...

CVE-2026-41149

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state...

Arbitrary Code Injection

Overview org.webjars.npm:mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of the classDef function in state diagrams. An attacker can...

NPM: Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection

NPM: Mermaid: Improper sanitization of classDef in state diagrams leads to HTML injection vulnerability discovered by ? in WordPress Npm mermaid versions = 10.9.5...

Arbitrary Code Injection

Overview mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of the classDef function in state diagrams. An attacker can inject arbitrary...

CVE-2026-26226

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting XSS when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without...

CVE-2026-26226

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting XSS when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without...

CVE-2026-26226

The CVE-2026-26226 issue affects beautiful-mermaid versions prior to 0.1.3, where user-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without proper escaping. This enables SVG attribute injection that can lead to cross-site scripting (XSS) ...

PT-2026-8010

Name of the Vulnerable Software and Affected Versions beautiful-mermaid versions prior to 0.1.3 Description The software contains an SVG attribute injection issue that can lead to cross-site scripting XSS when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid sty...

PT-2023-35815 · Git +1 · Harfbuzz

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: A heap-buffer-overflow read issue is identified, potentially causing a crash. The crash occurs in the sort r simple function and involves the...