Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)

Impact @excalidraw/[email protected] depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid’s KaTeX label rendering path. This is patched i...

Cross-Site Scripting (XSS)

Mermaid is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to user-supplied input for sequence diagram labels being passed to innerHTML during element size calculation, which allows an attacker to inject and execute malicious scripts...

Linux Distros Unpatched Vulnerability : CVE-2025-54881

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. I...

Cross-site Scripting (XSS)

Overview mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the calculateMathMLDimensions function, which was introduced in 5c69e5f. An attacker can execute...

GHSA-7RQQ-PRVP-X9JH Mermaid improperly sanitizes sequence diagram labels leading to XSS

Summary In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS. Details Sequence diagram node labels with KaTeX delimiters are passed through calculateMathMLDimensions. This method pass...

CVE-2025-54881

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML duri...

UBUNTU-CVE-2025-54881

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML duri...

CVE-2025-54881 Mermaid improperly sanitizes of sequence diagram labels leading to XSS

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML duri...

CVE-2025-54881

Technical details about CVE-2025-54881 are not publicly available in the provided connected documents. Monitor for updates.

CVE-2025-54881 Mermaid improperly sanitizes of sequence diagram labels leading to XSS

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML duri...

Mermaid 跨站脚本漏洞

Mermaid is a mermaid-js open source application. Create charts and visualizations using text and code. A cross-site scripting vulnerability exists in Mermaid versions 10.9.0-rc.1 through 11.9.0, which stems from user-entered sequence diagram tags passed to innerHTML, potentially leading to...

CVE-2024-38527 Cross-site Scripting in ZenUML

ZenUML is JavaScript-based diagramming tool that requires no server, using Markdown-inspired text definitions and a renderer to create and modify sequence diagrams. Markdown-based comments in the ZenUML diagram syntax are susceptible to Cross-site Scripting XSS. The comment feature allows the use...

[SECURITY] Fedora 40 Update: plantuml-1.2024.3-3.fc40

PlantUML is a program allowing to draw UML diagrams, using a simple and human readable text description. It is extremely useful for code documenting, sketching project architecture during team conversations and so on. PlantUML supports the following diagram types - sequence diagram - use case...

RTPEngine mr11.5.1.6 Denial Of Service

RTPEngine susceptible to Denial of Service via DTLS Hello packets during call initiation - Fixed versions: mr12.1.1.2, mr12.0.1.3, mr11.5.1.16, mr10.5.6.3, mr10.5.6.2 - Enable Security Advisory: https://github.com/EnableSecurity/advisories/tree/master/ES2023-03-rtpengine-dtls-hello-race - Vendor...

[SECURITY] Fedora 39 Update: plantuml-1.2023.11-1.fc39

PlantUML is a program allowing to draw UML diagrams, using a simple and human readable text description. It is extremely useful for code documenting, sketching project architecture during team conversations and so on. PlantUML supports the following diagram types - sequence diagram - use case...

Diagon Sequence::DrawText heap-based buffer overflow vulnerability

Talos Vulnerability Report TALOS-2023-1744 Diagon Sequence::DrawText heap-based buffer overflow vulnerability July 5, 2023 CVE Number CVE-2023-27390 SUMMARY A heap-based buffer overflow vulnerability exists in the Sequence::DrawText functionality of Diagon v1.0.139. A specially crafted markdown...

Exploit for Cross-Site Request Forgery (CSRF) in Filebrowser

CVE-2021-46398 - Lalie ARNOUD, Gaspard ANDRIEU In this reposi...

[SECURITY] Fedora 35 Update: plantuml-1.2022.5-1.fc35

PlantUML is a program allowing to draw UML diagrams, using a simple and human readable text description. It is extremely useful for code documenting, sketching project architecture during team conversations and so on. PlantUML supports the following diagram types - sequence diagram - use case...

[SECURITY] Fedora 36 Update: plantuml-1.2022.5-1.fc36

PlantUML is a program allowing to draw UML diagrams, using a simple and human readable text description. It is extremely useful for code documenting, sketching project architecture during team conversations and so on. PlantUML supports the following diagram types - sequence diagram - use case...

Fedora: Security Advisory for plantuml (FEDORA-2022-e6c09a89eb)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...