CVE-2026-41159: Mermaid: Improper sanitization of configuration leads to CSS injection
(updated )
Mermaid’s default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options.
References
- github.com/advisories/GHSA-87f9-hvmw-gh4p
- github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa
- github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aahttps://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76
- github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76
- github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
- github.com/mermaid-js/mermaid/releases/tag/mermaid@11.15.0
- github.com/mermaid-js/mermaid/releases/tag/v10.9.6
- github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p
- nvd.nist.gov/vuln/detail/CVE-2026-41159
Code Behaviors & Features
Detect and mitigate CVE-2026-41159 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →