By vendor
Mermaid_project vulnerabilities
Known CVEs affecting Mermaid_project products, prioritized by severity, with SEC.co remediation and detection guidance.
2 published vulnerabilities
- CVE-2026-41150MEDIUM 5.3
Mermaid, a popular JavaScript library for creating diagrams from text, contains a denial-of-service vulnerability in versions before 10.9.6 and 11.15.0. The flaw occurs when rendering Gantt charts that use the excludes attribute to block out all dates. An attacker can craft a malicious diagram that, when processed and rendered, causes the application to hang or consume excessive resources, disrupting service availability. The vulnerability only manifests during actual diagram rendering; simply parsing the diagram syntax does not trigger the issue unless the ganttDb.getTasks() function is subsequently called.
- CVE-2026-41159MEDIUM 5.3
Mermaid, a popular JavaScript library for creating diagrams from text, contains a CSS injection vulnerability in its configuration options. Attackers can inject malicious CSS through the fontFamily, themeCSS, and altFontFamily settings that breaks out of the intended diagram sandbox and affects the entire web page. This could enable page defacement or extraction of sensitive information through CSS selectors. The vulnerability affects versions before 10.9.6 and 11.15.0, and has been patched in those releases.