Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/mermaid@0.5.4
Typenpm
Namespace
Namemermaid
Version0.5.4
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version10.9.4
Latest_non_vulnerable_version11.10.0
Affected_by_vulnerabilities
0
url VCID-9hch-63av-c3e2
vulnerability_id VCID-9hch-63av-c3e2
summary 
Cross-Site Scripting in mermaid
Versions of `mermaid` prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input  such as `A["<img src=invalid onerror=alert('XSS')></img>"] ` is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.


## Recommendation

Upgrade to version 8.2.3 or later
references
0
reference_url https://github.com/knsv/mermaid
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/knsv/mermaid
1
reference_url https://github.com/knsv/mermaid/issues/847
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/knsv/mermaid/issues/847
2
reference_url https://www.npmjs.com/advisories/751
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/751
3
reference_url https://github.com/advisories/GHSA-w32g-5hqp-gg6q
reference_id GHSA-w32g-5hqp-gg6q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w32g-5hqp-gg6q
fixed_packages
0
url pkg:npm/mermaid@8.2.3
purl pkg:npm/mermaid@8.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6qac-5y2d-akdd
1
vulnerability VCID-fgz4-kbun-23bn
2
vulnerability VCID-fwuk-z3uk-1ygf
3
vulnerability VCID-x94b-cysu-4fbe
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.2.3
aliases GHSA-w32g-5hqp-gg6q, GMS-2020-747
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9hch-63av-c3e2
1
url VCID-fgz4-kbun-23bn
vulnerability_id VCID-fgz4-kbun-23bn
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams., malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to to receive a patch. There are no known workarounds aside from upgrading.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-43861
reference_id
reference_type
scores
0
value 0.00493
scoring_system epss
scoring_elements 0.6574
published_at 2026-04-21T12:55:00Z
1
value 0.00493
scoring_system epss
scoring_elements 0.6562
published_at 2026-04-01T12:55:00Z
2
value 0.00493
scoring_system epss
scoring_elements 0.65669
published_at 2026-04-02T12:55:00Z
3
value 0.00493
scoring_system epss
scoring_elements 0.65699
published_at 2026-04-04T12:55:00Z
4
value 0.00493
scoring_system epss
scoring_elements 0.65664
published_at 2026-04-07T12:55:00Z
5
value 0.00493
scoring_system epss
scoring_elements 0.65715
published_at 2026-04-08T12:55:00Z
6
value 0.00493
scoring_system epss
scoring_elements 0.65728
published_at 2026-04-09T12:55:00Z
7
value 0.00493
scoring_system epss
scoring_elements 0.65749
published_at 2026-04-11T12:55:00Z
8
value 0.00493
scoring_system epss
scoring_elements 0.65735
published_at 2026-04-12T12:55:00Z
9
value 0.00493
scoring_system epss
scoring_elements 0.65705
published_at 2026-04-13T12:55:00Z
10
value 0.00493
scoring_system epss
scoring_elements 0.65741
published_at 2026-04-16T12:55:00Z
11
value 0.00493
scoring_system epss
scoring_elements 0.65754
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-43861
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43861
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43861
2
reference_url https://github.com/mermaid-js/mermaid
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid
3
reference_url https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83
4
reference_url https://github.com/mermaid-js/mermaid/releases/tag/8.13.8
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/releases/tag/8.13.8
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-43861
reference_id CVE-2021-43861
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-43861
6
reference_url https://github.com/advisories/GHSA-p3rp-vmj9-gv6v
reference_id GHSA-p3rp-vmj9-gv6v
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p3rp-vmj9-gv6v
7
reference_url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v
reference_id GHSA-p3rp-vmj9-gv6v
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v
fixed_packages
0
url pkg:npm/mermaid@8.13.8
purl pkg:npm/mermaid@8.13.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6qac-5y2d-akdd
1
vulnerability VCID-fwuk-z3uk-1ygf
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.13.8
aliases CVE-2021-43861, GHSA-p3rp-vmj9-gv6v
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fgz4-kbun-23bn
2
url VCID-fwuk-z3uk-1ygf
vulnerability_id VCID-fwuk-z3uk-1ygf
summary 
Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

- `dist/mermaid.min.js`
- `dist/mermaid.js`
- `dist/mermaid.esm.mjs`
- `dist/mermaid.esm.min.mjs`

This will also affect users that use the above files via a CDN link, e.g. `https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js`

**Users that use the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or the `dist/mermaid.core.mjs` file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like `npm audit fix`.**

### Patches

- `develop` branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34
references
0
reference_url https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
1
reference_url https://github.com/mermaid-js/mermaid
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid
2
reference_url https://github.com/mermaid-js/mermaid/commit/6c785c93166c151d27d328ddf68a13d9d65adc00
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/commit/6c785c93166c151d27d328ddf68a13d9d65adc00
3
reference_url https://github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34
4
reference_url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-m4gq-x24j-jpmf
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-m4gq-x24j-jpmf
5
reference_url https://github.com/advisories/GHSA-m4gq-x24j-jpmf
reference_id GHSA-m4gq-x24j-jpmf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m4gq-x24j-jpmf
fixed_packages
0
url pkg:npm/mermaid@10.9.3
purl pkg:npm/mermaid@10.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q79q-8yzx-p3f6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.3
1
url pkg:npm/mermaid@11.0.0-alpha.1
purl pkg:npm/mermaid@11.0.0-alpha.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-q79q-8yzx-p3f6
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.0.0-alpha.1
aliases GHSA-m4gq-x24j-jpmf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fwuk-z3uk-1ygf
3
url VCID-hbtz-4sw3-63dt
vulnerability_id VCID-hbtz-4sw3-63dt
summary 
Cross-Site Scripting
If malicious input such as `A["<img src=invalid onerror=alert('XSS')></img>"]` is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.
references
0
reference_url https://github.com/knsv/mermaid/issues/847
reference_id
reference_type
scores
url https://github.com/knsv/mermaid/issues/847
1
reference_url https://github.com/knsv/mermaid/issues/869
reference_id
reference_type
scores
url https://github.com/knsv/mermaid/issues/869
2
reference_url https://www.npmjs.com/advisories/751
reference_id
reference_type
scores
url https://www.npmjs.com/advisories/751
fixed_packages
0
url pkg:npm/mermaid@8.2.3
purl pkg:npm/mermaid@8.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6qac-5y2d-akdd
1
vulnerability VCID-fgz4-kbun-23bn
2
vulnerability VCID-fwuk-z3uk-1ygf
3
vulnerability VCID-x94b-cysu-4fbe
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.2.3
aliases GMS-2019-1
risk_score null
exploitability 0.5
weighted_severity 0.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hbtz-4sw3-63dt
4
url VCID-x94b-cysu-4fbe
vulnerability_id VCID-x94b-cysu-4fbe
summary 
Cross-site Scripting in Mermaid
Mermaid before 8.11.0 allows XSS when the antiscript feature is used.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-35513
reference_id
reference_type
scores
0
value 0.00307
scoring_system epss
scoring_elements 0.53907
published_at 2026-04-24T12:55:00Z
1
value 0.00307
scoring_system epss
scoring_elements 0.53851
published_at 2026-04-02T12:55:00Z
2
value 0.00307
scoring_system epss
scoring_elements 0.5388
published_at 2026-04-04T12:55:00Z
3
value 0.00307
scoring_system epss
scoring_elements 0.53854
published_at 2026-04-07T12:55:00Z
4
value 0.00307
scoring_system epss
scoring_elements 0.53905
published_at 2026-04-08T12:55:00Z
5
value 0.00307
scoring_system epss
scoring_elements 0.53904
published_at 2026-04-09T12:55:00Z
6
value 0.00307
scoring_system epss
scoring_elements 0.5395
published_at 2026-04-11T12:55:00Z
7
value 0.00307
scoring_system epss
scoring_elements 0.53933
published_at 2026-04-12T12:55:00Z
8
value 0.00307
scoring_system epss
scoring_elements 0.53916
published_at 2026-04-13T12:55:00Z
9
value 0.00307
scoring_system epss
scoring_elements 0.53954
published_at 2026-04-16T12:55:00Z
10
value 0.00307
scoring_system epss
scoring_elements 0.5396
published_at 2026-04-18T12:55:00Z
11
value 0.00307
scoring_system epss
scoring_elements 0.53941
published_at 2026-04-21T12:55:00Z
12
value 0.00307
scoring_system epss
scoring_elements 0.53832
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-35513
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35513
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35513
2
reference_url https://github.com/mermaid-js/mermaid/issues/2122
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/issues/2122
3
reference_url https://github.com/mermaid-js/mermaid/pull/2123
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/pull/2123
4
reference_url https://github.com/mermaid-js/mermaid/pull/2123/commits/3d22fa5d2435de5acc18de6f88474a6e8675a60e
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/pull/2123/commits/3d22fa5d2435de5acc18de6f88474a6e8675a60e
5
reference_url https://github.com/mermaid-js/mermaid/releases/tag/8.11.0-rc2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/releases/tag/8.11.0-rc2
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-35513
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-35513
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990449
reference_id 990449
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990449
8
reference_url https://github.com/advisories/GHSA-4f6x-49g2-99fm
reference_id GHSA-4f6x-49g2-99fm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4f6x-49g2-99fm
fixed_packages
0
url pkg:npm/mermaid@8.11.0
purl pkg:npm/mermaid@8.11.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-6qac-5y2d-akdd
1
vulnerability VCID-fgz4-kbun-23bn
2
vulnerability VCID-fwuk-z3uk-1ygf
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.11.0
aliases CVE-2021-35513, GHSA-4f6x-49g2-99fm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x94b-cysu-4fbe
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/mermaid@0.5.4