Matejsmycka

**Name of the Vulnerable Software and Affected Versions** Mermaid versions prior to 10.9.6 Mermaid versions 11.0.0-alpha.1 through 11.14.0 **Description** Improper sanitization in the state diagram and other diagram types that route user-controlled style strings through the `createCssStyles` parser allows for CSS injection. The system captures `classDef` values using an unrestricted regex that matches everything up to a newline. This value flows unsanitized through the `addStyleClass()` function into `createCssStyles()` and is assigned to `style.innerHTML`. A closing brace (}) in the value can terminate the generated CSS selector, allowing subsequent text to be interpreted as a new CSS rule on the page. This can lead to page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration. **Recommendations** Update to version 10.9.6 for versions prior to 10.9.6. Update to version 11.15.0 for versions 11.0.0-alpha.1 through 11.14.0. As a temporary workaround, set `securityLevel` to `sandbox` to render diagrams in a sandboxed <iframe>.