UBUNTU-CVE-2026-41159

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-41159

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41159.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-41159

Upstream

CVE-2026-41159

Published

2026-06-01T00:00:00Z

Modified

2026-06-01T10:15:53.228228879Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0.

References

Affected packages

Ubuntu:22.04:LTS / node-mermaid

Package

Name: node-mermaid
Purl: pkg:deb/ubuntu/node-mermaid?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.7.0+ds+~cs27.17.17-3

8.13.3+ds+~cs26.13.21-1

8.13.3+ds+~cs26.13.21-2

8.13.8+~cs10.4.16-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "8.13.8+~cs10.4.16-1",
            "binary_name": "node-mermaid"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41159.json"