CVE-2026-41159: Mermaid CSS Injection Vulnerability – Patch to 10.9.6 or 11.15.0
Mermaid, a popular JavaScript library for creating diagrams from text, contains a CSS injection vulnerability in its configuration options. Attackers can inject malicious CSS through the fontFamily, themeCSS, and altFontFamily settings that breaks out of the intended diagram sandbox and affects the entire web page. This could enable page defacement or extraction of sensitive information through CSS selectors. The vulnerability affects versions before 10.9.6 and 11.15.0, and has been patched in those releases.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-94
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-07-01
NVD description (verbatim)
Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper CSS scope handling in Mermaid's integration with the stylis CSS processor. Mermaid attempts to automatically scope styles to diagrams using an #mermaid-xxx container ID, but the :not(&) CSS selector in configuration-controlled strings can escape this scope. Additionally, global at-rules (@font-face, @keyframes, @counter-style) are hoisted by stylis to the document root, bypassing containment. This allows injection of page-wide CSS rules, including use of :has() selectors for attribute exfiltration via side-channel techniques like background-image requests with crafted URLs.
Business impact
Organizations embedding user-controlled or untrusted Mermaid diagrams face risk of visual brand damage through page defacement and potential exposure of DOM attributes via CSS exfiltration channels. While the CVSS score reflects limited severity, the actual impact depends on the sensitivity of page content and whether the hosting application renders sensitive user data in the DOM. For SaaS platforms or collaborative tools using Mermaid, this could facilitate account compromise workflows or data theft if attributes like authentication tokens or session identifiers are exposed.
Affected systems
All Mermaid versions prior to 10.9.6 (10.x branch) and prior to 11.15.0 (11.x branch) are vulnerable. Any web application or service that renders Mermaid diagrams from user-supplied input, configuration, or untrusted sources is at risk. This includes collaborative diagramming tools, documentation platforms, and wiki systems that permit Mermaid syntax.
Exploitability
The vulnerability requires no authentication and can be triggered by crafting a malicious diagram configuration string passed to Mermaid. The attack surface is high in applications that accept user-submitted diagram syntax or configuration. However, exploitation complexity is moderate—the attacker must understand CSS scoping rules and stylis behavior, and must have a vector to inject configuration values. Real-world exploitation likelihood increases if the application allows direct diagram input or if third-party diagrams are embedded without sanitization.
Remediation
Upgrade Mermaid to version 10.9.6 or later (10.x series) or 11.15.0 or later (11.x series). Organizations should also review deployment architectures: if diagrams originate from untrusted sources, implement input validation to reject suspicious configuration syntax, or isolate Mermaid rendering in a sandboxed iframe to contain CSS injection effects. Content Security Policy (CSP) headers with strict font-src and style-src directives can further limit the blast radius.
Patch guidance
Patch versions 10.9.6 and 11.15.0 address the vulnerability by hardening CSS scope isolation and restricting configuration-controlled at-rule injection. Verify the upgrade in your package.json or lock file and test that diagram rendering continues to work as expected—patch versions should not break existing diagram syntax. For applications on the 10.x branch, prioritize upgrading to 10.9.6; for 11.x users, upgrade to 11.15.0 or later. Check your dependency tree for indirect Mermaid usage via other libraries.
Detection guidance
Monitor application logs for unusual Mermaid configuration payloads, particularly strings containing :not(&), @font-face, @keyframes, or :has() selectors in fontFamily, themeCSS, or altFontFamily fields. In a browser environment, watch for unexpected global CSS rules being injected into the document head. If Mermaid diagrams are user-supplied, implement a Web Application Firewall (WAF) rule to flag requests containing CSS selector syntax in diagram input. Runtime monitoring of DOM mutations and style injection can also surface exploitation attempts.
Why prioritize this
Although rated MEDIUM severity, this vulnerability warrants prompt attention if your organization uses Mermaid with untrusted input. The combination of no authentication required, network accessibility, and potential for data exfiltration via CSS channels elevates practical risk. Organizations with collaborative or user-facing Mermaid integrations should prioritize patching within 30 days; others with Mermaid use limited to internal documentation can follow a standard update cycle.
Risk score, explained
The CVSS 5.3 score reflects the lack of direct confidentiality or integrity impact under the base scoring vector; however, integrity and confidentiality risks exist via CSS-based exfiltration and page manipulation. The score does not account for business context—a platform accepting user diagram input faces higher practical risk than an internal documentation tool. The absence of authentication requirement (PR:N) and network accessibility (AV:N) keep the score in MEDIUM range, but the true risk depends on whether Mermaid is exposed to untrusted input.
Frequently asked questions
Does this vulnerability require the attacker to have an account or special access?
No. The vulnerability is network-accessible and requires no authentication. Any attacker capable of supplying Mermaid configuration—through a diagram input field, API parameter, or shared document—can trigger it.
What is the difference between versions 10.9.6 and 11.15.0?
These are patch versions for two active Mermaid release branches. Version 10.9.6 patches the 10.x line, while 11.15.0 patches the 11.x line. Upgrade to whichever branch your application currently uses. Check your package.json to confirm your current version.
Can CSS injection really steal sensitive data?
Yes, within limitations. Attackers cannot directly read DOM text via CSS, but can exfiltrate HTML attributes (like data-* attributes or token values in href/src) using CSS :has() selectors combined with background-image requests to an attacker-controlled server. This is a known side-channel technique.
Is there a workaround if I cannot patch immediately?
Render Mermaid diagrams in an iframe with a restrictive sandbox attribute and CSP headers, or implement input validation to reject configuration strings containing CSS selectors and at-rules. These are defense-in-depth measures; patching is the primary fix.
This analysis is based on the published CVE description and vendor patch information as of the modification date. Organizations should verify patch availability, compatibility, and applicability to their specific Mermaid deployment. No exploit code or weaponized proof-of-concept is provided. Always test patches in non-production environments before full deployment. For the most current information, consult the official Mermaid project advisory and your vendor's security updates. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10153MEDIUMCross-Site Scripting in westboy CicadasCMS Search Function
- CVE-2026-10173MEDIUMCross-Site Scripting in Orthanc Explorer 2 – Patch Guidance & Detection
- CVE-2026-10175MEDIUMCode Injection in Aider-AI Aider 0.86.3 – Exploit Available
- CVE-2026-10289MEDIUMXSS Vulnerability in Hotel and Tourism Reservation System 1.0
- CVE-2026-10301MEDIUMReflected XSS in itsourcecode Fees Management System 1.0 – Exploit Public
- CVE-2026-10688MEDIUMCode Injection in ahujasid blender-mcp
- CVE-2026-10810MEDIUMCross-Site Scripting in itsourcecode Fees Management System v1.0
- CVE-2026-44287MEDIUMFastGPT JavaScript Sandbox Bypass and RCE (CVSS 6.3)