GHSA-cgmm-x5ww-q5cr

Suggest an improvement
Source
https://github.com/advisories/GHSA-cgmm-x5ww-q5cr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-cgmm-x5ww-q5cr/GHSA-cgmm-x5ww-q5cr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cgmm-x5ww-q5cr
Aliases
Published
2026-02-13T18:31:25Z
Modified
2026-02-13T21:28:53.709551Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS)
Details

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without proper escaping, allowing crafted input to break out of an attribute context and inject arbitrary SVG elements/attributes into the rendered output. When the generated SVG is embedded in a web page, this can result in script execution in the context of the embedding origin.

Database specific 
{
    "github_reviewed_at": "2026-02-13T21:04:19Z",
    "nvd_published_at": "2026-02-13T17:16:14Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

npm / beautiful-mermaid

Package

Name
beautiful-mermaid
View open source insights on deps.dev
Purl
pkg:npm/beautiful-mermaid

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.1.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-cgmm-x5ww-q5cr/GHSA-cgmm-x5ww-q5cr.json"