CVE-2026-41148

Name of the Vulnerable Software and Affected Versions Mermaid versions prior to 10.9.6 Mermaid versions 11.0.0-alpha.1 through 11.14.0

Description Improper sanitization in the state diagram and other diagram types that route user-controlled style strings through the createCssStyles parser allows for CSS injection. The system captures classDef values using an unrestricted regex that matches everything up to a newline. This value flows unsanitized through the addStyleClass() function into createCssStyles() and is assigned to style.innerHTML. A closing brace (}) in the value can terminate the generated CSS selector, allowing subsequent text to be interpreted as a new CSS rule on the page. This can lead to page defacement, user tracking via url() callbacks, and DOM attribute exfiltration.

Recommendations Update to version 10.9.6 for versions prior to 10.9.6. Update to version 11.15.0 for versions 11.0.0-alpha.1 through 11.14.0. As a temporary workaround, set securityLevel to sandbox to render diagrams in a sandboxed .