Unrated severityNVD Advisory· Published Jan 4, 2023· Updated Mar 10, 2025
Arbitrary HTML injection in discourse-mermaid-theme-component
CVE-2022-46180
Description
Discourse Mermaid (discourse-mermaid-theme-component) allows users of Discourse, open-source forum software, to create graphs using the Mermaid syntax. Users of discourse-mermaid-theme-component version 1.0.0 who can create posts are able to inject arbitrary HTML on that post. The issue has been fixed on the main branch of the GitHub repository, with 1.1.0 named as a patched version. Admins can update the theme component through the admin UI. As a workaround, admins can temporarily disable discourse-mermaid-theme-component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2=1.0.0+ 1 more
- (no CPE)range: =1.0.0
- (no CPE)range: = 1.0.0
Patches
Vulnerability mechanics
References
3- github.com/discourse/discourse-mermaid-theme-component/commit/c10bc4a08bf865cee20e5d5dffba535762813f0fmitrex_refsource_MISC
- github.com/discourse/discourse-mermaid-theme-component/pull/14mitrex_refsource_MISC
- github.com/discourse/discourse-mermaid-theme-component/security/advisories/GHSA-8437-hgcm-p3q3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.