CVE-2026-41159

Source
https://cve.org/CVERecord?id=CVE-2026-41159
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41159.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41159
Aliases
Downstream
Related
Published
2026-05-29T13:53:10.148Z
Modified
2026-07-08T08:05:12.048268999Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L CVSS Calculator
Summary
Mermaid: Improper sanitization of configuration leads to CSS injection
Details

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41159.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-94"
    ]
}
References

Affected packages

Git / github.com/mermaid-js/mermaid

Affected ranges

Type
GIT
Repo
https://github.com/mermaid-js/mermaid
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:mermaid_project:mermaid:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.9.6"
        },
        {
            "introduced": "11.0.0"
        },
        {
            "fixed": "11.15.0"
        }
    ]
}

Affected versions

0.*
0.1.0
0.1.1
0.2.0
0.2.1
0.2.13
0.2.14
0.2.15
0.2.16
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.4.0
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
6.*
6.0.0
7.*
7.0.0
7.0.2
7.0.3
7.0.5
8.*
8.1.0
8.11.0-rc2
8.11.3
8.11.4
8.12.1
8.13.10
8.13.11
8.13.5
8.13.6
8.13.7
8.2.0
8.2.1
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.3.0
8.4.4
8.4.6
8.4.8
8.5.1
8.5.2
8.6.0
8.6.2
8.7.0
8.8.0
8.8.3
8.9.1
8.9.3
9.*
9.1.2
9.1.3
9.1.5
@mermaid-js/examples@1.*
@mermaid-js/examples@1.1.0
@mermaid-js/examples@1.2.0
@mermaid-js/layout-elk@0.*
@mermaid-js/layout-elk@0.1.1
@mermaid-js/layout-elk@0.1.2
@mermaid-js/layout-elk@0.1.3
@mermaid-js/layout-elk@0.1.4
@mermaid-js/layout-elk@0.1.5
@mermaid-js/layout-elk@0.1.6
@mermaid-js/layout-elk@0.1.7
@mermaid-js/layout-elk@0.1.8
@mermaid-js/layout-elk@0.1.9
@mermaid-js/layout-elk@0.2.0
@mermaid-js/layout-elk@0.2.1
@mermaid-js/layout-tidy-tree@0.*
@mermaid-js/layout-tidy-tree@0.2.0
@mermaid-js/layout-tidy-tree@0.2.1
@mermaid-js/layout-tidy-tree@0.2.2
@mermaid-js/mermaid-zenuml@0.*
@mermaid-js/mermaid-zenuml@0.2.1
@mermaid-js/mermaid-zenuml@0.2.2
@mermaid-js/parser@0.*
@mermaid-js/parser@0.2.0
@mermaid-js/parser@0.3.0
@mermaid-js/parser@0.4.0
@mermaid-js/parser@0.5.0
@mermaid-js/parser@0.6.0
@mermaid-js/parser@0.6.1
@mermaid-js/parser@0.6.3
@mermaid-js/parser@1.*
@mermaid-js/parser@1.0.0
@mermaid-js/parser@1.0.1
@mermaid-js/parser@1.1.0
@mermaid-js/parser@1.1.1
@mermaid-js/tiny@11.*
@mermaid-js/tiny@11.10.0
@mermaid-js/tiny@11.10.1
@mermaid-js/tiny@11.11.0
@mermaid-js/tiny@11.12.0
@mermaid-js/tiny@11.12.1
@mermaid-js/tiny@11.12.3
@mermaid-js/tiny@11.13.0
@mermaid-js/tiny@11.14.0
@mermaid-js/tiny@11.7.0
@mermaid-js/tiny@11.8.0
@mermaid-js/tiny@11.8.1
mermaid@11.*
mermaid@11.0.1
mermaid@11.0.2
mermaid@11.1.0
mermaid@11.1.1
mermaid@11.10.0
mermaid@11.10.1
mermaid@11.11.0
mermaid@11.12.0
mermaid@11.12.1
mermaid@11.12.2
mermaid@11.12.3
mermaid@11.13.0
mermaid@11.14.0
mermaid@11.2.0
mermaid@11.2.1
mermaid@11.3.0
mermaid@11.4.0
mermaid@11.4.1
mermaid@11.5.0
mermaid@11.6.0
mermaid@11.7.0
mermaid@11.8.0
mermaid@11.8.1
Other
untagged-31c93788afe260d914bb
untagged-566ebfbf21141b604025
untagged-7651dabb407ecd5631ce
untagged-f43366252632a1a42020
v10.*
v10.1.0
v10.3.0
v10.4.0
v10.7.0
v10.9.0
v10.9.1
v10.9.2
v10.9.3
v10.9.4
v10.9.5
v11.*
v11.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41159.json"