CVE-2026-41148: Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection
(updated )
Enables page defacement, user tracking via url() callbacks, and DOM attribute exfiltration via CSS :has() selectors.
References
- github.com/advisories/GHSA-xcj9-5m2h-648r
- github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102
- github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f
- github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
- github.com/mermaid-js/mermaid/releases/tag/v10.9.6
- github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r
- mermaid.js.org/config/schema-docs/config.html
- nvd.nist.gov/vuln/detail/CVE-2026-41148
Code Behaviors & Features
Detect and mitigate CVE-2026-41148 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →