CVE-2026-41149: Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection
(updated )
Under the default configuration, Mermaid state diagram’s classDef allow DOM injection that escapes the SVG, although <script> tags are removed, preventing XSS.
References
- github.com/advisories/GHSA-ghcm-xqfw-q4vr
- github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056
- github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3
- github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
- github.com/mermaid-js/mermaid/releases/tag/v10.9.6
- github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr
- mermaid.js.org/config/schema-docs/config.html
- nvd.nist.gov/vuln/detail/CVE-2026-41149
Code Behaviors & Features
Detect and mitigate CVE-2026-41149 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →