CVE-2026-41149 – Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection

CVE ID :CVE-2026-41149

Published : May 22, 2026, 10:34 p.m. | 1 hour, 23 minutes ago

Description :Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state diagrams permits DOM injection that escapes the SVG context. However, 

نوشته های مشابه

CVE-2026-23663 – Microsoft Global Secure Access (GSA) Information Disclosure Vulnerability

CVE-2026-42901 – Microsoft Entra ID Elevation of Privilege Vulnerability

CVE-2026-41104 – Microsoft Planetary Computer Pro Information Disclosure Vulnerability

CVE-2026-45659 – Microsoft SharePoint Remote Code Execution Vulnerability