{"url":"http://public2.vulnerablecode.io/api/packages/508651?format=json","purl":"pkg:npm/mermaid@8.6.3","type":"npm","namespace":"","name":"mermaid","version":"8.6.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"10.9.6","latest_non_vulnerable_version":"11.15.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/206895?format=json","vulnerability_id":"VCID-2y19-u1q1-rkfx","summary":"Cross-site Scripting in Mermaid","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-35513","reference_id":"","reference_type":"","scores":[{"value":"0.00307","scoring_system":"epss","scoring_elements":"0.54437","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00307","scoring_system":"epss","scoring_elements":"0.54312","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00307","scoring_system":"epss","scoring_elements":"0.54453","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-35513"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35513","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35513"},{"reference_url":"https://github.com/mermaid-js/mermaid/issues/2122","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/issues/2122"},{"reference_url":"https://github.com/mermaid-js/mermaid/pull/2123","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/pull/2123"},{"reference_url":"https://github.com/mermaid-js/mermaid/pull/2123/commits/3d22fa5d2435de5acc18de6f88474a6e8675a60e","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/pull/2123/commits/3d22fa5d2435de5acc18de6f88474a6e8675a60e"},{"reference_url":"https://github.com/mermaid-js/mermaid/releases/tag/8.11.0-rc2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/releases/tag/8.11.0-rc2"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990449","reference_id":"990449","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990449"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-35513","reference_id":"CVE-2021-35513","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-35513"},{"reference_url":"https://github.com/advisories/GHSA-4f6x-49g2-99fm","reference_id":"GHSA-4f6x-49g2-99fm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4f6x-49g2-99fm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18301?format=json","purl":"pkg:npm/mermaid@8.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bu1t-mfhx-1yet"},{"vulnerability":"VCID-j4ej-bzys-3fag"},{"vulnerability":"VCID-qcuu-a2xn-9bhv"},{"vulnerability":"VCID-t4vq-rewd-63c6"},{"vulnerability":"VCID-thcv-t41j-hqct"},{"vulnerability":"VCID-trvn-qh5r-bffg"},{"vulnerability":"VCID-v3d4-gbq4-rubq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.11.0"}],"aliases":["CVE-2021-35513","GHSA-4f6x-49g2-99fm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2y19-u1q1-rkfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80990?format=json","vulnerability_id":"VCID-bu1t-mfhx-1yet","summary":"Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41150.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41150.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41150","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17528","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17705","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17688","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41150"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41150","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41150"},{"reference_url":"https://github.com/mermaid-js/mermaid","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41150","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41150"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2483296","reference_id":"2483296","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2483296"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6","reference_id":"a59ea56174712ee5430dfd5bc877cb5151f501a6","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T16:16:21Z/"}],"url":"https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e","reference_id":"faafb5d49106dd32c367f3882505f2dd625aa30e","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T16:16:21Z/"}],"url":"https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e"},{"reference_url":"https://github.com/advisories/GHSA-6m6c-36f7-fhxh","reference_id":"GHSA-6m6c-36f7-fhxh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6m6c-36f7-fhxh"},{"reference_url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh","reference_id":"GHSA-6m6c-36f7-fhxh","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T16:16:21Z/"}],"url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh"},{"reference_url":"https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0","reference_id":"mermaid%4011.15.0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T16:16:21Z/"}],"url":"https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0"},{"reference_url":"https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6","reference_id":"v10.9.6","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T16:16:21Z/"}],"url":"https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375476?format=json","purl":"pkg:npm/mermaid@10.9.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/375475?format=json","purl":"pkg:npm/mermaid@11.15.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.15.0"}],"aliases":["CVE-2026-41150","GHSA-6m6c-36f7-fhxh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bu1t-mfhx-1yet"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359604?format=json","vulnerability_id":"VCID-j4ej-bzys-3fag","summary":"Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify\nThe following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.\n\nThis affects the built:\n\n- `dist/mermaid.min.js`\n- `dist/mermaid.js`\n- `dist/mermaid.esm.mjs`\n- `dist/mermaid.esm.min.mjs`\n\nThis will also affect users that use the above files via a CDN link, e.g. `https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js`\n\n**Users that use the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or the `dist/mermaid.core.mjs` file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like `npm audit fix`.**\n\n### Patches\n\n- `develop` branch: 6c785c93166c151d27d328ddf68a13d9d65adc00\n- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34","references":[{"reference_url":"https://github.com/mermaid-js/mermaid","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/6c785c93166c151d27d328ddf68a13d9d65adc00","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/commit/6c785c93166c151d27d328ddf68a13d9d65adc00"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34"},{"reference_url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-m4gq-x24j-jpmf","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-m4gq-x24j-jpmf"},{"reference_url":"https://github.com/advisories/GHSA-m4gq-x24j-jpmf","reference_id":"GHSA-m4gq-x24j-jpmf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m4gq-x24j-jpmf"},{"reference_url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674","reference_id":"GHSA-mmhx-hmjr-r674","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/372005?format=json","purl":"pkg:npm/mermaid@10.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9dw3-j3nm-9baz"},{"vulnerability":"VCID-bu1t-mfhx-1yet"},{"vulnerability":"VCID-qcuu-a2xn-9bhv"},{"vulnerability":"VCID-trvn-qh5r-bffg"},{"vulnerability":"VCID-v3d4-gbq4-rubq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/754421?format=json","purl":"pkg:npm/mermaid@11.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9dw3-j3nm-9baz"},{"vulnerability":"VCID-bu1t-mfhx-1yet"},{"vulnerability":"VCID-qcuu-a2xn-9bhv"},{"vulnerability":"VCID-trvn-qh5r-bffg"},{"vulnerability":"VCID-v3d4-gbq4-rubq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.0.0-alpha.1"}],"aliases":["GHSA-m4gq-x24j-jpmf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j4ej-bzys-3fag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81043?format=json","vulnerability_id":"VCID-qcuu-a2xn-9bhv","summary":"Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and prior, in addition to 11.0.0-alpha.1 through 11.12.0 are vulnerable to CSS injection through improper sanitization. The state diagram (and any other diagram type that routes user-controlled style strings through the createCssStyles parser) captures classDef values using an unrestricted regex that matches everything up to a newline. That value then flows unsanitized through addStyleClass() into createCssStyles() and is assigned to style.innerHTML, so a closing brace (}) in the value terminates the generated CSS selector and turns everything after it into a new CSS rule on the page. This enables page defacement, user tracking via url() callbacks, and DOM attribute exfiltration. This issue has been fixed in versions 10.9.6 and 11.15.0. If developers are unable to immediately upgrade, they can work around this issue by setting \"securityLevel\": \"sandbox\", which prevents the issue by rendering the mermaid diagram in a sandboxed <iframe>.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41148","reference_id":"","reference_type":"","scores":[{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22715","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22702","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00074","scoring_system":"epss","scoring_elements":"0.22507","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41148"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41148","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41148"},{"reference_url":"https://github.com/mermaid-js/mermaid","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41148","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41148"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102","reference_id":"8fead23c59166b7bab6a39eac81acebee2859102","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/"}],"url":"https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102"},{"reference_url":"https://mermaid.js.org/config/schema-docs/config.html#securitylevel","reference_id":"config.html#securitylevel","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/"}],"url":"https://mermaid.js.org/config/schema-docs/config.html#securitylevel"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f","reference_id":"e9b0f34d8d82a6260077764ee45e1d7d90957a0f","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/"}],"url":"https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f"},{"reference_url":"https://github.com/advisories/GHSA-xcj9-5m2h-648r","reference_id":"GHSA-xcj9-5m2h-648r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xcj9-5m2h-648r"},{"reference_url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r","reference_id":"GHSA-xcj9-5m2h-648r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/"}],"url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r"},{"reference_url":"https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0","reference_id":"mermaid%4011.15.0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/"}],"url":"https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0"},{"reference_url":"https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6","reference_id":"v10.9.6","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-27T13:25:29Z/"}],"url":"https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375476?format=json","purl":"pkg:npm/mermaid@10.9.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/375475?format=json","purl":"pkg:npm/mermaid@11.15.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.15.0"}],"aliases":["CVE-2026-41148","GHSA-xcj9-5m2h-648r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qcuu-a2xn-9bhv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207083?format=json","vulnerability_id":"VCID-t4vq-rewd-63c6","summary":"Incorrect sanitisation function leads to `XSS` in mermaid","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43861","reference_id":"","reference_type":"","scores":[{"value":"0.00493","scoring_system":"epss","scoring_elements":"0.66262","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00493","scoring_system":"epss","scoring_elements":"0.66155","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00493","scoring_system":"epss","scoring_elements":"0.66248","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43861"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43861","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43861"},{"reference_url":"https://github.com/mermaid-js/mermaid","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83"},{"reference_url":"https://github.com/mermaid-js/mermaid/releases/tag/8.13.8","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/releases/tag/8.13.8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43861","reference_id":"CVE-2021-43861","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43861"},{"reference_url":"https://github.com/advisories/GHSA-p3rp-vmj9-gv6v","reference_id":"GHSA-p3rp-vmj9-gv6v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p3rp-vmj9-gv6v"},{"reference_url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v","reference_id":"GHSA-p3rp-vmj9-gv6v","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/18459?format=json","purl":"pkg:npm/mermaid@8.13.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bu1t-mfhx-1yet"},{"vulnerability":"VCID-j4ej-bzys-3fag"},{"vulnerability":"VCID-qcuu-a2xn-9bhv"},{"vulnerability":"VCID-thcv-t41j-hqct"},{"vulnerability":"VCID-trvn-qh5r-bffg"},{"vulnerability":"VCID-v3d4-gbq4-rubq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.13.8"}],"aliases":["CVE-2021-43861","GHSA-p3rp-vmj9-gv6v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t4vq-rewd-63c6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/167460?format=json","vulnerability_id":"VCID-thcv-t41j-hqct","summary":"Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to \"load\" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31108","reference_id":"","reference_type":"","scores":[{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46858","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46844","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00235","scoring_system":"epss","scoring_elements":"0.46701","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31108"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31108","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31108"},{"reference_url":"https://github.com/mermaid-js/mermaid","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/0ae1bdb61adff1cd485caff8c62ec6b8ac57b225","reference_id":"0ae1bdb61adff1cd485caff8c62ec6b8ac57b225","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:53Z/"}],"url":"https://github.com/mermaid-js/mermaid/commit/0ae1bdb61adff1cd485caff8c62ec6b8ac57b225"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014540","reference_id":"1014540","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014540"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31108","reference_id":"CVE-2022-31108","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31108"},{"reference_url":"https://github.com/advisories/GHSA-x3vm-38hw-55wf","reference_id":"GHSA-x3vm-38hw-55wf","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x3vm-38hw-55wf"},{"reference_url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-x3vm-38hw-55wf","reference_id":"GHSA-x3vm-38hw-55wf","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:45:53Z/"}],"url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-x3vm-38hw-55wf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/25214?format=json","purl":"pkg:npm/mermaid@9.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bu1t-mfhx-1yet"},{"vulnerability":"VCID-j4ej-bzys-3fag"},{"vulnerability":"VCID-qcuu-a2xn-9bhv"},{"vulnerability":"VCID-thcv-t41j-hqct"},{"vulnerability":"VCID-trvn-qh5r-bffg"},{"vulnerability":"VCID-v3d4-gbq4-rubq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@9.1.2"},{"url":"http://public2.vulnerablecode.io/api/packages/754337?format=json","purl":"pkg:npm/mermaid@9.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bu1t-mfhx-1yet"},{"vulnerability":"VCID-j4ej-bzys-3fag"},{"vulnerability":"VCID-qcuu-a2xn-9bhv"},{"vulnerability":"VCID-trvn-qh5r-bffg"},{"vulnerability":"VCID-v3d4-gbq4-rubq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@9.1.3"}],"aliases":["CVE-2022-31108","GHSA-x3vm-38hw-55wf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-thcv-t41j-hqct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80772?format=json","vulnerability_id":"VCID-trvn-qh5r-bffg","summary":"Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state diagrams permits DOM injection that escapes the SVG context. However, <script> tags are stripped, which prevents cross-site scripting (XSS). This issue has been fixed in versions 10.9.6 and 11.15.0. If developers are unable to immediately upgrade, they can work around this issue by setting \"securityLevel\": \"sandbox\", which prevents the issue by rendering the mermaid diagram in a sandboxed <iframe>.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41149","reference_id":"","reference_type":"","scores":[{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18611","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18792","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18774","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41149"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41149","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41149"},{"reference_url":"https://github.com/mermaid-js/mermaid","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41149","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41149"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056","reference_id":"37ff937f1da2e19f882fd1db01235db4d01f4056","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-23T03:21:57Z/"}],"url":"https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3","reference_id":"4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-23T03:21:57Z/"}],"url":"https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3"},{"reference_url":"https://github.com/advisories/GHSA-ghcm-xqfw-q4vr","reference_id":"GHSA-ghcm-xqfw-q4vr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ghcm-xqfw-q4vr"},{"reference_url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr","reference_id":"GHSA-ghcm-xqfw-q4vr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-23T03:21:57Z/"}],"url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375476?format=json","purl":"pkg:npm/mermaid@10.9.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/375475?format=json","purl":"pkg:npm/mermaid@11.15.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.15.0"}],"aliases":["CVE-2026-41149","GHSA-ghcm-xqfw-q4vr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-trvn-qh5r-bffg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80847?format=json","vulnerability_id":"VCID-v3d4-gbq4-rubq","summary":"Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0,  Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41159","reference_id":"","reference_type":"","scores":[{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.18407","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.1843","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.18243","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41159"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41159","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41159"},{"reference_url":"https://github.com/mermaid-js/mermaid","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41159","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41159"},{"reference_url":"https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aahttps://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76","reference_id":"a9d9f0d8eb790349121508688cd338253fd80d76","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:02:42Z/"}],"url":"https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aahttps://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76"},{"reference_url":"https://github.com/advisories/GHSA-87f9-hvmw-gh4p","reference_id":"GHSA-87f9-hvmw-gh4p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-87f9-hvmw-gh4p"},{"reference_url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p","reference_id":"GHSA-87f9-hvmw-gh4p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:02:42Z/"}],"url":"https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p"},{"reference_url":"https://github.com/mermaid-js/mermaid/releases/tag/mermaid@11.15.0","reference_id":"mermaid@11.15.0","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:02:42Z/"}],"url":"https://github.com/mermaid-js/mermaid/releases/tag/mermaid@11.15.0"},{"reference_url":"https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6","reference_id":"v10.9.6","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:02:42Z/"}],"url":"https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375476?format=json","purl":"pkg:npm/mermaid@10.9.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@10.9.6"},{"url":"http://public2.vulnerablecode.io/api/packages/375475?format=json","purl":"pkg:npm/mermaid@11.15.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@11.15.0"}],"aliases":["CVE-2026-41159","GHSA-87f9-hvmw-gh4p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v3d4-gbq4-rubq"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/mermaid@8.6.3"}