๐Ÿ” CVE Alert

CVE-2026-26226

UNKNOWN 0.0

beautiful-mermaid < 0.1.3 SVG Attribute Injection

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without proper escaping, allowing crafted input to break out of an attribute context and inject arbitrary SVG elements/attributes into the rendered output. When the generated SVG is embedded in a web page, this can result in script execution in the context of the embedding origin.

CWE CWE-79
Vendor lukilabs
Product beautiful-mermaid
Published Feb 13, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for lukilabs beautiful-mermaid

Be the first to know when new unknown vulnerabilities affecting lukilabs beautiful-mermaid are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

lukilabs / beautiful-mermaid
0 < 0.1.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/lukilabs/beautiful-mermaid/releases/tag/v0.1.3 github.com: https://github.com/lukilabs/beautiful-mermaid/pull/8 neo.projectdiscovery.io: https://neo.projectdiscovery.io/share/cec71dc7-a8eb-417e-b8b4-666644796c1e vulncheck.com: https://www.vulncheck.com/advisories/beautiful-mermaid-svg-attribute-injection

Credits

Neo by ProjectDiscovery (https://neo.projectdiscovery.io)