CVE-2026-41149

Name of the Vulnerable Software and Affected Versions Mermaid versions prior to 10.9.6 Mermaid versions 11.0.0-alpha.1 through 11.14.0

Description Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Under the default configuration, the classDef directive in state diagrams allows HTML injection that escapes the SVG context, leading to DOM injection. While <script> tags are stripped to prevent cross-site scripting (XSS), the issue still allows for the injection of arbitrary HTML elements into the Document Object Model (DOM), which is the programming interface for HTML and XML documents.

Recommendations Update to version 10.9.6. Update to version 11.15.0. As a temporary workaround, set securityLevel to sandbox to render diagrams in a sandboxed <iframe>.