CVE-2026-41159

UNKNOWN 0.0

Mermaid: Improper sanitization of configuration leads to CSS injection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0.

CWE	CWE-94
Vendor	mermaid-js
Product	mermaid
Published	May 29, 2026
Last Updated	May 29, 2026

Stay Ahead of the Next One

Get instant alerts for mermaid-js mermaid

Be the first to know when new unknown vulnerabilities affecting mermaid-js mermaid are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

mermaid-js / mermaid

>= 11.0.0-alpha.1, < 11.15.0 < 10.9.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p github.com: https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aahttps://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76 github.com: https://github.com/mermaid-js/mermaid/releases/tag/[email protected] github.com: https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6