CVE-2026-41159 is a CSS injection vulnerability in Mermaid, a JavaScript diagramming library. The issue stems from Mermaid's default configuration allowing untrusted CSS injection through the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. The vulnerability exploits stylis's `&` (scope reference) handling, where `:not(&)` selectors escape the automatic `#mermaid-xxx` scoping and apply [truncated]
A denial-of-service vulnerability exists in Mermaid, a JavaScript diagramming library, when rendering Gantt charts with the excludes attribute configured to exclude all dates. The issue affects versions prior to 10.9.6 and 11.15.0. While mermaid.parse itself is not directly vulnerable, the ganttDb.getTasks() function—invoked during diagram rendering—triggers the flaw. An attacker could exploit this by sup [truncated]
Mermaid, a JavaScript diagramming library, contains an HTML injection vulnerability in its state diagram classDef directive. Affected versions (10.9.5 and earlier, plus 11.0.0-alpha.1 through 11.14.0) allow DOM injection that escapes the SVG rendering context. While <script> tags are filtered preventing XSS, the injection can still manipulate page structure and potentially enable phishing or UI redressing [truncated]
Mermaid, a JavaScript diagramming library, contains a CSS injection vulnerability in versions 10.9.5 and prior, as well as 11.0.0-alpha.1 through 11.12.0. The flaw exists in the state diagram parser and other diagram types that route user-controlled style strings through createCssStyles. The classDef values are captured using an unrestricted regex matching everything up to a newline, which then flows unsa [truncated]