26 matches found
CVE-2026-40107 SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering
SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, tags with src attributes survive Mermaid's internal DOMPurify and land in SVG blocks. The SVG is injected via innerHTML with no secondary...
CVE-2026-23630
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting XSS. The frontend can render attacker-controlled Mermaid diagrams using mermaid.render, then inject the returned SVG/HT...
CVE-2026-23630
CVE-2026-23630 affects Docmost: versions 0.3.0–0.23.2 are vulnerable to stored XSS in Mermaid diagram rendering. attacker-controlled Mermaid diagrams rendered via mermaid.render() are injected into the DOM with dangerouslySetInnerHTML, and per-diagram %%{init}%% directives can override securityLe...
CVE-2026-23630 Docmost is vulnerable to stored Cross-Site Scripting (XSS) through Mermaid rendering
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting XSS. The frontend can render attacker-controlled Mermaid diagrams using mermaid.render, then inject the returned SVG/HT...
CVE-2026-23630 Docmost is vulnerable to stored Cross-Site Scripting (XSS) through Mermaid rendering
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting XSS. The frontend can render attacker-controlled Mermaid diagrams using mermaid.render, then inject the returned SVG/HT...
CVE-2026-23630 Docmost is vulnerable to stored Cross-Site Scripting (XSS) through Mermaid rendering
Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting XSS. The frontend can render attacker-controlled Mermaid diagrams using mermaid.render, then inject the returned SVG/HT...
FreeBSD : Gitlab -- vulnerabilities (c9b610e9-eebc-11f0-b051-2cf05da270f3)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the c9b610e9-eebc-11f0-b051-2cf05da270f3 advisory. Gitlab reports: Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders...
Gitlab -- vulnerabilities
Gitlab reports: Stored Cross-site Scripting issue in GitLab Flavored Markdown placeholders impacts GitLab CE/EE Cross-site Scripting issue in Web IDE impacts GitLab CE/EE Missing Authorization issue in Duo Workflows API impacts GitLab EE Missing Authorization issue in AI GraphQL mutation impacts...
CVE-2025-68669 5ire vulnerable to Remote Code Execution (RCE) via mermaid
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. In versions 0.15.2 and prior, an RCE vulnerability exists in useMarkdown.ts, where the markdown-it-mermaid plugin is initialized with securityLevel: 'loose'. This configuration explicitly permits...
CVE-2025-66580
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting XSS vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary...
CVE-2025-66580 Dive has Cross-Site Scripting vulnerability that can escalate to Remote Code Execution
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting XSS vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary...
CVE-2025-66580
CVE-2025-66580 affects the Dive open-source MCP Host Desktop Application. Versions prior to 0.11.1 contain a critical Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram rendering component that allows execution of arbitrary JavaScript via the javascript: URI. An attacker could...
CVE-2025-66580 Dive has Cross-Site Scripting vulnerability that can escalate to Remote Code Execution
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting XSS vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary...
EUVD-2025-204564
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting XSS vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary...
CVE-2025-67744
DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to version 0.5.3, a security vulnerability exists in the Mermaid diagram rendering component that allows arbitrary JavaScript execution. Due to the exposure of the Electron IPC renderer...
CVE-2025-67744
DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to version 0.5.3, a security vulnerability exists in the Mermaid diagram rendering component that allows arbitrary JavaScript execution. Due to the exposure of the Electron IPC renderer...
EUVD-2025-203488
DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to version 0.5.3, a security vulnerability exists in the Mermaid diagram rendering component that allows arbitrary JavaScript execution. Due to the exposure of the Electron IPC renderer...
PT-2025-51356
Name of the Vulnerable Software and Affected Versions DeepChat versions prior to 0.5.3 Description DeepChat is an open-source artificial intelligence agent platform. A security issue exists in the Mermaid diagram rendering component that allows arbitrary JavaScript execution. This Cross-Site...
DeepChat 代码注入漏洞
DeepChat is an intelligent assistant open-sourced by ThinkInAIXYZ. A code injection vulnerability exists in DeepChat versions prior to 0.5.3, which stems from a cross-site scripting issue in the Mermaid chart rendering component that could lead to remote code execution...
EUVD-2025-27502
Malicious code in bioql PyPI...