npm package
mermaid
pkg:npm/mermaid
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41159 | — | >= 11.0.0-alpha.1, < 11.15.0 | 11.15.0 | May 11, 2026 | ### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ | ||
| CVE-2026-41150 | — | >= 11.0.0-alpha.1, < 11.15.0 | 11.15.0 | May 11, 2026 | ### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wedne | ||
| CVE-2026-41149 | — | >= 11.0.0-alpha.1, < 11.15.0 | 11.15.0 | May 11, 2026 | ### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `` tags are removed, preventing XSS. #### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red*{x:x;y:y;overfl | ||
| CVE-2026-41148 | — | >= 11.0.0-alpha.1, < 11.15.0 | 11.15.0 | May 11, 2026 | ### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/state | ||
| CVE-2025-54881 | Med | — | >= 11.0.0-alpha.1, < 11.10.0 | 11.10.0 | Aug 19, 2025 | Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed | |
| CVE-2025-54880 | — | >= 11.1.0, < 11.10.0 | 11.10.0 | Aug 19, 2025 | Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed | ||
| CVE-2022-31108 | — | >= 8.0.0, < 9.1.2 | 9.1.2 | Jun 28, 2022 | Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements ou | ||
| CVE-2021-43861 | — | < 8.13.8 | 8.13.8 | Dec 30, 2021 | Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to | ||
| CVE-2021-35513 | — | < 8.11.0 | 8.11.0 | Jun 27, 2021 | Mermaid before 8.11.0 allows XSS when the antiscript feature is used. |
- CVE-2026-41159May 11, 2026affected >= 11.0.0-alpha.1, < 11.15.0fixed 11.15.0
### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ
- CVE-2026-41150May 11, 2026affected >= 11.0.0-alpha.1, < 11.15.0fixed 11.15.0
### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wedne
- CVE-2026-41149May 11, 2026affected >= 11.0.0-alpha.1, < 11.15.0fixed 11.15.0
### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `` tags are removed, preventing XSS. #### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red*{x:x;y:y;overfl
- CVE-2026-41148May 11, 2026affected >= 11.0.0-alpha.1, < 11.15.0fixed 11.15.0
### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/state
- affected >= 11.0.0-alpha.1, < 11.10.0fixed 11.10.0
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed
- CVE-2025-54880Aug 19, 2025affected >= 11.1.0, < 11.10.0fixed 11.10.0
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed
- CVE-2022-31108Jun 28, 2022affected >= 8.0.0, < 9.1.2fixed 9.1.2
Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements ou
- CVE-2021-43861Dec 30, 2021affected < 8.13.8fixed 8.13.8
Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to
- CVE-2021-35513Jun 27, 2021affected < 8.11.0fixed 8.11.0
Mermaid before 8.11.0 allows XSS when the antiscript feature is used.