CVE-2026-41150

MEDIUM

Mermaid Gantt Charts - Infinite Loop Denial of Service

Title source: manual

Description

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0.

References (5)

Core 5

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh

X_Refsource_Misc x_refsource_misc

https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0

X_Refsource_Misc x_refsource_misc

https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6

Scores

CVSS v3 5.3

EPSS 0.0038

EPSS Percentile 29.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-835

Status published

Products (5)

mermaid-js/mermaid < 10.9.6

mermaid-js/mermaid >= 11.0.0-alpha.1, < 11.15.0

mermaid_project/mermaid < 10.9.6

npm/mermaid 0 - 10.9.6npm

npm/mermaid 11.0.0-alpha.1 - 11.15.0npm

Published May 29, 2026

Tracked Since May 29, 2026