Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/mermaid@8.7.0
Typenpm
Namespace
Namemermaid
Version8.7.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version10.9.6
Latest_non_vulnerable_version11.15.0
Affected_by_vulnerabilities
0
url VCID-2y19-u1q1-rkfx
vulnerability_id VCID-2y19-u1q1-rkfx
summary Cross-site Scripting in Mermaid
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-35513
reference_id
reference_type
scores
0
value 0.00307
scoring_system epss
scoring_elements 0.54437
published_at 2026-06-12T12:55:00Z
1
value 0.00307
scoring_system epss
scoring_elements 0.54312
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-35513
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35513
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35513
2
reference_url https://github.com/mermaid-js/mermaid/issues/2122
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/issues/2122
3
reference_url https://github.com/mermaid-js/mermaid/pull/2123
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/pull/2123
4
reference_url https://github.com/mermaid-js/mermaid/pull/2123/commits/3d22fa5d2435de5acc18de6f88474a6e8675a60e
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/pull/2123/commits/3d22fa5d2435de5acc18de6f88474a6e8675a60e
5
reference_url https://github.com/mermaid-js/mermaid/releases/tag/8.11.0-rc2
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/releases/tag/8.11.0-rc2
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990449
reference_id 990449
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990449
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-35513
reference_id CVE-2021-35513
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-35513
8
reference_url https://github.com/advisories/GHSA-4f6x-49g2-99fm
reference_id GHSA-4f6x-49g2-99fm
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4f6x-49g2-99fm
fixed_packages
0
url pkg:npm/mermaid@8.11.0
purl pkg:npm/mermaid@8.11.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bu1t-mfhx-1yet
1
vulnerability VCID-j4ej-bzys-3fag
2
vulnerability VCID-qcuu-a2xn-9bhv
3
vulnerability VCID-t4vq-rewd-63c6
4
vulnerability VCID-thcv-t41j-hqct
5
vulnerability VCID-trvn-qh5r-bffg
6
vulnerability VCID-v3d4-gbq4-rubq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.11.0
aliases CVE-2021-35513, GHSA-4f6x-49g2-99fm
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2y19-u1q1-rkfx
1
url VCID-bu1t-mfhx-1yet
vulnerability_id VCID-bu1t-mfhx-1yet
summary Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41150.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41150.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41150
reference_id
reference_type
scores
0
value 0.00055
scoring_system epss
scoring_elements 0.17688
published_at 2026-06-12T12:55:00Z
1
value 0.00055
scoring_system epss
scoring_elements 0.17528
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41150
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41150
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41150
3
reference_url https://github.com/mermaid-js/mermaid
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41150
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41150
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2483296
reference_id 2483296
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2483296
6
reference_url https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6
reference_id a59ea56174712ee5430dfd5bc877cb5151f501a6
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T16:16:21Z/
url https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6
7
reference_url https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e
reference_id faafb5d49106dd32c367f3882505f2dd625aa30e
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T16:16:21Z/
url https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e
8
reference_url https://github.com/advisories/GHSA-6m6c-36f7-fhxh
reference_id GHSA-6m6c-36f7-fhxh
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6m6c-36f7-fhxh
9
reference_url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh
reference_id GHSA-6m6c-36f7-fhxh
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T16:16:21Z/
url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh
10
reference_url https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
reference_id mermaid%4011.15.0
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T16:16:21Z/
url https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
11
reference_url https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
reference_id v10.9.6
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T16:16:21Z/
url https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
fixed_packages
0
url pkg:npm/mermaid@10.9.6
purl pkg:npm/mermaid@10.9.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.6
1
url pkg:npm/mermaid@11.15.0
purl pkg:npm/mermaid@11.15.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.15.0
aliases CVE-2026-41150, GHSA-6m6c-36f7-fhxh
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bu1t-mfhx-1yet
2
url VCID-j4ej-bzys-3fag
vulnerability_id VCID-j4ej-bzys-3fag
summary 
Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

- `dist/mermaid.min.js`
- `dist/mermaid.js`
- `dist/mermaid.esm.mjs`
- `dist/mermaid.esm.min.mjs`

This will also affect users that use the above files via a CDN link, e.g. `https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js`

**Users that use the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or the `dist/mermaid.core.mjs` file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like `npm audit fix`.**

### Patches

- `develop` branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34
references
0
reference_url https://github.com/mermaid-js/mermaid
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid
1
reference_url https://github.com/mermaid-js/mermaid/commit/6c785c93166c151d27d328ddf68a13d9d65adc00
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/commit/6c785c93166c151d27d328ddf68a13d9d65adc00
2
reference_url https://github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34
3
reference_url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-m4gq-x24j-jpmf
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-m4gq-x24j-jpmf
4
reference_url https://github.com/advisories/GHSA-m4gq-x24j-jpmf
reference_id GHSA-m4gq-x24j-jpmf
reference_type
scores
url https://github.com/advisories/GHSA-m4gq-x24j-jpmf
5
reference_url https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
reference_id GHSA-mmhx-hmjr-r674
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
fixed_packages
0
url pkg:npm/mermaid@10.9.3
purl pkg:npm/mermaid@10.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9dw3-j3nm-9baz
1
vulnerability VCID-bu1t-mfhx-1yet
2
vulnerability VCID-qcuu-a2xn-9bhv
3
vulnerability VCID-trvn-qh5r-bffg
4
vulnerability VCID-v3d4-gbq4-rubq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.3
1
url pkg:npm/mermaid@11.0.0-alpha.1
purl pkg:npm/mermaid@11.0.0-alpha.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9dw3-j3nm-9baz
1
vulnerability VCID-bu1t-mfhx-1yet
2
vulnerability VCID-qcuu-a2xn-9bhv
3
vulnerability VCID-trvn-qh5r-bffg
4
vulnerability VCID-v3d4-gbq4-rubq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.0.0-alpha.1
aliases GHSA-m4gq-x24j-jpmf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j4ej-bzys-3fag
3
url VCID-qcuu-a2xn-9bhv
vulnerability_id VCID-qcuu-a2xn-9bhv
summary Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and prior, in addition to 11.0.0-alpha.1 through 11.12.0 are vulnerable to CSS injection through improper sanitization. The state diagram (and any other diagram type that routes user-controlled style strings through the createCssStyles parser) captures classDef values using an unrestricted regex that matches everything up to a newline. That value then flows unsanitized through addStyleClass() into createCssStyles() and is assigned to style.innerHTML, so a closing brace (}) in the value terminates the generated CSS selector and turns everything after it into a new CSS rule on the page. This enables page defacement, user tracking via url() callbacks, and DOM attribute exfiltration. This issue has been fixed in versions 10.9.6 and 11.15.0. If developers are unable to immediately upgrade, they can work around this issue by setting "securityLevel": "sandbox", which prevents the issue by rendering the mermaid diagram in a sandboxed <iframe>.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41148
reference_id
reference_type
scores
0
value 0.00074
scoring_system epss
scoring_elements 0.22507
published_at 2026-06-11T12:55:00Z
1
value 0.00074
scoring_system epss
scoring_elements 0.22702
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41148
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41148
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41148
2
reference_url https://github.com/mermaid-js/mermaid
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41148
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41148
4
reference_url https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102
reference_id 8fead23c59166b7bab6a39eac81acebee2859102
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/
url https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102
5
reference_url https://mermaid.js.org/config/schema-docs/config.html#securitylevel
reference_id config.html#securitylevel
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/
url https://mermaid.js.org/config/schema-docs/config.html#securitylevel
6
reference_url https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f
reference_id e9b0f34d8d82a6260077764ee45e1d7d90957a0f
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/
url https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f
7
reference_url https://github.com/advisories/GHSA-xcj9-5m2h-648r
reference_id GHSA-xcj9-5m2h-648r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xcj9-5m2h-648r
8
reference_url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r
reference_id GHSA-xcj9-5m2h-648r
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/
url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r
9
reference_url https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
reference_id mermaid%4011.15.0
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/
url https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
10
reference_url https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
reference_id v10.9.6
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/
url https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
fixed_packages
0
url pkg:npm/mermaid@10.9.6
purl pkg:npm/mermaid@10.9.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.6
1
url pkg:npm/mermaid@11.15.0
purl pkg:npm/mermaid@11.15.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.15.0
aliases CVE-2026-41148, GHSA-xcj9-5m2h-648r
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qcuu-a2xn-9bhv
4
url VCID-t4vq-rewd-63c6
vulnerability_id VCID-t4vq-rewd-63c6
summary Incorrect sanitisation function leads to `XSS` in mermaid
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-43861
reference_id
reference_type
scores
0
value 0.00493
scoring_system epss
scoring_elements 0.66248
published_at 2026-06-12T12:55:00Z
1
value 0.00493
scoring_system epss
scoring_elements 0.66155
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-43861
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43861
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43861
2
reference_url https://github.com/mermaid-js/mermaid
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid
3
reference_url https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83
4
reference_url https://github.com/mermaid-js/mermaid/releases/tag/8.13.8
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/releases/tag/8.13.8
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-43861
reference_id CVE-2021-43861
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-43861
6
reference_url https://github.com/advisories/GHSA-p3rp-vmj9-gv6v
reference_id GHSA-p3rp-vmj9-gv6v
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p3rp-vmj9-gv6v
7
reference_url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v
reference_id GHSA-p3rp-vmj9-gv6v
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v
fixed_packages
0
url pkg:npm/mermaid@8.13.8
purl pkg:npm/mermaid@8.13.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bu1t-mfhx-1yet
1
vulnerability VCID-j4ej-bzys-3fag
2
vulnerability VCID-qcuu-a2xn-9bhv
3
vulnerability VCID-thcv-t41j-hqct
4
vulnerability VCID-trvn-qh5r-bffg
5
vulnerability VCID-v3d4-gbq4-rubq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.13.8
aliases CVE-2021-43861, GHSA-p3rp-vmj9-gv6v
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t4vq-rewd-63c6
5
url VCID-thcv-t41j-hqct
vulnerability_id VCID-thcv-t41j-hqct
summary Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-31108
reference_id
reference_type
scores
0
value 0.00235
scoring_system epss
scoring_elements 0.46844
published_at 2026-06-12T12:55:00Z
1
value 0.00235
scoring_system epss
scoring_elements 0.46701
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-31108
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31108
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31108
2
reference_url https://github.com/mermaid-js/mermaid
reference_id
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid
3
reference_url https://github.com/mermaid-js/mermaid/commit/0ae1bdb61adff1cd485caff8c62ec6b8ac57b225
reference_id 0ae1bdb61adff1cd485caff8c62ec6b8ac57b225
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:53Z/
url https://github.com/mermaid-js/mermaid/commit/0ae1bdb61adff1cd485caff8c62ec6b8ac57b225
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014540
reference_id 1014540
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014540
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-31108
reference_id CVE-2022-31108
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-31108
6
reference_url https://github.com/advisories/GHSA-x3vm-38hw-55wf
reference_id GHSA-x3vm-38hw-55wf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x3vm-38hw-55wf
7
reference_url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-x3vm-38hw-55wf
reference_id GHSA-x3vm-38hw-55wf
reference_type
scores
0
value 4.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:53Z/
url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-x3vm-38hw-55wf
fixed_packages
0
url pkg:npm/mermaid@9.1.2
purl pkg:npm/mermaid@9.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bu1t-mfhx-1yet
1
vulnerability VCID-j4ej-bzys-3fag
2
vulnerability VCID-qcuu-a2xn-9bhv
3
vulnerability VCID-thcv-t41j-hqct
4
vulnerability VCID-trvn-qh5r-bffg
5
vulnerability VCID-v3d4-gbq4-rubq
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@9.1.2
aliases CVE-2022-31108, GHSA-x3vm-38hw-55wf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-thcv-t41j-hqct
6
url VCID-trvn-qh5r-bffg
vulnerability_id VCID-trvn-qh5r-bffg
summary Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state diagrams permits DOM injection that escapes the SVG context. However, <script> tags are stripped, which prevents cross-site scripting (XSS). This issue has been fixed in versions 10.9.6 and 11.15.0. If developers are unable to immediately upgrade, they can work around this issue by setting "securityLevel": "sandbox", which prevents the issue by rendering the mermaid diagram in a sandboxed <iframe>.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41149
reference_id
reference_type
scores
0
value 0.00059
scoring_system epss
scoring_elements 0.18611
published_at 2026-06-11T12:55:00Z
1
value 0.00059
scoring_system epss
scoring_elements 0.18774
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41149
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41149
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41149
2
reference_url https://github.com/mermaid-js/mermaid
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41149
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41149
4
reference_url https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056
reference_id 37ff937f1da2e19f882fd1db01235db4d01f4056
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-23T03:21:57Z/
url https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056
5
reference_url https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3
reference_id 4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-23T03:21:57Z/
url https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3
6
reference_url https://github.com/advisories/GHSA-ghcm-xqfw-q4vr
reference_id GHSA-ghcm-xqfw-q4vr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-ghcm-xqfw-q4vr
7
reference_url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr
reference_id GHSA-ghcm-xqfw-q4vr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-23T03:21:57Z/
url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr
fixed_packages
0
url pkg:npm/mermaid@10.9.6
purl pkg:npm/mermaid@10.9.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.6
1
url pkg:npm/mermaid@11.15.0
purl pkg:npm/mermaid@11.15.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.15.0
aliases CVE-2026-41149, GHSA-ghcm-xqfw-q4vr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-trvn-qh5r-bffg
7
url VCID-v3d4-gbq4-rubq
vulnerability_id VCID-v3d4-gbq4-rubq
summary Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-41159
reference_id
reference_type
scores
0
value 0.00057
scoring_system epss
scoring_elements 0.18407
published_at 2026-06-12T12:55:00Z
1
value 0.00057
scoring_system epss
scoring_elements 0.18243
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-41159
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41159
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41159
2
reference_url https://github.com/mermaid-js/mermaid
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid
3
reference_url https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa
4
reference_url https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-41159
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-41159
6
reference_url https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aahttps://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76
reference_id a9d9f0d8eb790349121508688cd338253fd80d76
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:02:42Z/
url https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aahttps://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76
7
reference_url https://github.com/advisories/GHSA-87f9-hvmw-gh4p
reference_id GHSA-87f9-hvmw-gh4p
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-87f9-hvmw-gh4p
8
reference_url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p
reference_id GHSA-87f9-hvmw-gh4p
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:02:42Z/
url https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p
9
reference_url https://github.com/mermaid-js/mermaid/releases/tag/mermaid@11.15.0
reference_id mermaid@11.15.0
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:02:42Z/
url https://github.com/mermaid-js/mermaid/releases/tag/mermaid@11.15.0
10
reference_url https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
reference_id v10.9.6
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:02:42Z/
url https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
fixed_packages
0
url pkg:npm/mermaid@10.9.6
purl pkg:npm/mermaid@10.9.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.6
1
url pkg:npm/mermaid@11.15.0
purl pkg:npm/mermaid@11.15.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.15.0
aliases CVE-2026-41159, GHSA-87f9-hvmw-gh4p
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v3d4-gbq4-rubq
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.7.0