CVE-2026-41159
MEDIUMMermaid: Improper sanitization of configuration leads to CSS injection
Title source: cnaDescription
Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p
X_Refsource_Misc x_refsource_misc
https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aahttps://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76
X_Refsource_Misc x_refsource_misc
https://github.com/mermaid-js/mermaid/releases/tag/[email protected]
X_Refsource_Misc x_refsource_misc
https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
Scores
CVSS v3
5.3
EPSS
0.0040
EPSS Percentile
31.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-94
Status
published
Products (5)
mermaid-js/mermaid
< 10.9.6
mermaid-js/mermaid
>= 11.0.0-alpha.1, < 11.15.0
mermaid_project/mermaid
< 10.9.6
npm/mermaid
0 - 10.9.6npm
npm/mermaid
11.0.0-alpha.1 - 11.15.0npm
Published
May 29, 2026
Tracked Since
May 29, 2026