Close Menu
    Subscribe
    Alerts

    CVE-2026-41149 | THREATINT

    adminBy No Comments1 Min Read


    Home

    Description

    Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state diagrams permits DOM injection that escapes the SVG context. However,

    PUBLISHED Reserved 2026-04-17 | Published 2026-05-22 | Updated 2026-05-22 | Assigner GitHub_M

    MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

    Problem types

    CWE-94: Improper Control of Generation of Code (‘Code Injection’)

    Product status

    >= 11.0.0-alpha.1, < 11.15.0
    affected

    < 10.9.6
    affected

    References

    github.com/…ermaid/security/advisories/GHSA-ghcm-xqfw-q4vr

    github.com/…ommit/37ff937f1da2e19f882fd1db01235db4d01f4056

    github.com/…ommit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3

    cve.org (CVE-2026-41149)

    nvd.nist.gov (CVE-2026-41149)

    Download JSON



    Source link

    Share.

    Related Posts

    Add A Comment

    Comments are closed.