Lookup for vulnerable packages by Package URL.
| Purl | pkg:npm/mermaid@8.0.0-alpha.1 |
|---|
| Type | npm |
|---|
| Namespace | |
|---|
| Name | mermaid |
|---|
| Version | 8.0.0-alpha.1 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 10.9.4 |
|---|
| Latest_non_vulnerable_version | 11.10.0 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-9hch-63av-c3e2 |
| vulnerability_id |
VCID-9hch-63av-c3e2 |
| summary |
Cross-Site Scripting in mermaid
Versions of `mermaid` prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as `A["<img src=invalid onerror=alert('XSS')></img>"] ` is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.
## Recommendation
Upgrade to version 8.2.3 or later |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-w32g-5hqp-gg6q, GMS-2020-747
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9hch-63av-c3e2 |
|
| 1 |
| url |
VCID-fgz4-kbun-23bn |
| vulnerability_id |
VCID-fgz4-kbun-23bn |
| summary |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams., malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to to receive a patch. There are no known workarounds aside from upgrading. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-43861 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.6574 |
| published_at |
2026-04-21T12:55:00Z |
|
| 1 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.6562 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.65669 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.65699 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.65664 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.65715 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.65728 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.65749 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.65735 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.65705 |
| published_at |
2026-04-13T12:55:00Z |
|
| 10 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.65741 |
| published_at |
2026-04-16T12:55:00Z |
|
| 11 |
| value |
0.00493 |
| scoring_system |
epss |
| scoring_elements |
0.65754 |
| published_at |
2026-04-24T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-43861 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-43861, GHSA-p3rp-vmj9-gv6v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fgz4-kbun-23bn |
|
| 2 |
| url |
VCID-fwuk-z3uk-1ygf |
| vulnerability_id |
VCID-fwuk-z3uk-1ygf |
| summary |
Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
- `dist/mermaid.min.js`
- `dist/mermaid.js`
- `dist/mermaid.esm.mjs`
- `dist/mermaid.esm.min.mjs`
This will also affect users that use the above files via a CDN link, e.g. `https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js`
**Users that use the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or the `dist/mermaid.core.mjs` file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like `npm audit fix`.**
### Patches
- `develop` branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34 |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-m4gq-x24j-jpmf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fwuk-z3uk-1ygf |
|
| 3 |
| url |
VCID-hbtz-4sw3-63dt |
| vulnerability_id |
VCID-hbtz-4sw3-63dt |
| summary |
Cross-Site Scripting
If malicious input such as `A["<img src=invalid onerror=alert('XSS')></img>"]` is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding. |
| references |
|
| fixed_packages |
|
| aliases |
GMS-2019-1
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hbtz-4sw3-63dt |
|
| 4 |
| url |
VCID-x94b-cysu-4fbe |
| vulnerability_id |
VCID-x94b-cysu-4fbe |
| summary |
Cross-site Scripting in Mermaid
Mermaid before 8.11.0 allows XSS when the antiscript feature is used. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-35513 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.53907 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.53851 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.5388 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.53854 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.53905 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.53904 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.5395 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.53933 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.53916 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.53954 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.5396 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.53941 |
| published_at |
2026-04-21T12:55:00Z |
|
| 12 |
| value |
0.00307 |
| scoring_system |
epss |
| scoring_elements |
0.53832 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-35513 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-35513, GHSA-4f6x-49g2-99fm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x94b-cysu-4fbe |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | 4.0 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.0.0-alpha.1 |
|---|