GHSA-ghcm-xqfw-q4vr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-ghcm-xqfw-q4vr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-ghcm-xqfw-q4vr/GHSA-ghcm-xqfw-q4vr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-ghcm-xqfw-q4vr
- Aliases
-
- CVE-2026-41149
- Published
- 2026-05-11T19:36:46Z
- Modified
- 2026-05-11T19:49:03.497911Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L CVSS Calculator
- Summary
- Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection
- Details
-
Impact
Under the default configuration, Mermaid state diagram's
classDefallow DOM injection that escapes the SVG, although<script>tags are removed, preventing XSS.Proof-of-concept
stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xssPatches
- v11.15.0 (see 37ff937f1da2e19f882fd1db01235db4d01f4056)
- v10.9.6 (see 4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)
Workarounds
If you can not update to a patched version, setting
"securityLevel": "sandbox"will prevent this, by rendering the mermaid diagram in a sandboxed<iframe>.Credits
Thanks to @zsxsoft from @KeenSecurityLab for reporting this vulnerability.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-05-11T19:36:46Z", "cwe_ids": [ "CWE-94" ], "severity": "MODERATE", "nvd_published_at": null }- References
-
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr
- https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056
- https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3
- https://github.com/mermaid-js/mermaid
- https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
- https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
- https://mermaid.js.org/config/schema-docs/config.html#securitylevel
Affected packages
npm / mermaid
Package
- Name
- mermaid
- View open source insights on deps.dev
- Purl
- pkg:npm/mermaid
npm / mermaid
Package
- Name
- mermaid
- View open source insights on deps.dev
- Purl
- pkg:npm/mermaid