CVE-2026-26226

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-26226
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26226.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-26226
Aliases
Published
2026-02-13T17:16:14.073Z
Modified
2026-02-16T01:01:59.629230Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
[none]
Details

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without proper escaping, allowing crafted input to break out of an attribute context and inject arbitrary SVG elements/attributes into the rendered output. When the generated SVG is embedded in a web page, this can result in script execution in the context of the embedding origin.

References

Affected packages

Git / github.com/lukilabs/beautiful-mermaid

Affected ranges

Type
GIT
Repo
https://github.com/lukilabs/beautiful-mermaid
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f392f51261eda80b54671dcb9fbc1be6c4b93b71

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26226.json"