CVE-2026-41148: CWE-94: Improper Control of Generation of Code ('Code Injection') in mermaid-js mermaid
CVE-2026-41148 is a medium severity vulnerability in the mermaid-js mermaid JavaScript tool that allows CSS injection due to improper sanitization of user-controlled style strings. Affected versions include all versions prior to 10. 9. 6 and versions from 11. 0. 0-alpha. 1 up to but not including 11. 15. 0. The vulnerability arises because classDef values are captured with an unrestricted regex and then inserted unsanitized into CSS styles, enabling attackers to inject arbitrary CSS rules.
AI Analysis
Technical Summary
Mermaid-js mermaid versions <=10.9.5 and 11.0.0-alpha.1 through 11.12.0 are vulnerable to CSS injection due to improper sanitization of classDef style strings. The vulnerability occurs because the regex capturing classDef values matches everything up to a newline without restriction, allowing a closing brace to terminate the CSS selector and inject new CSS rules. These injected rules can be used for page defacement, user tracking, and DOM attribute exfiltration. The vulnerability is tracked as CWE-94 (Improper Control of Generation of Code). Fixed versions are 10.9.6 and 11.15.0. A temporary mitigation is to set "securityLevel" to "sandbox" to render diagrams in a sandboxed iframe, preventing exploitation.
Potential Impact
Exploitation of this vulnerability allows an attacker to inject arbitrary CSS into pages rendering mermaid diagrams, which can result in page defacement, user tracking through CSS url() callbacks, and exfiltration of DOM attributes. The CVSS 4.0 base score is 5.3 (medium severity), indicating a moderate impact with network attack vector, low complexity, no privileges required, and user interaction needed.
Mitigation Recommendations
A fix is available in mermaid versions 10.9.6 and 11.15.0. Users and developers should upgrade to these versions to remediate the vulnerability. If immediate upgrading is not possible, setting the "securityLevel" configuration option to "sandbox" will mitigate the issue by rendering diagrams within a sandboxed iframe, preventing CSS injection. There is no indication that no action is required or that the issue is already mitigated without these steps.
CVE-2026-41148: CWE-94: Improper Control of Generation of Code ('Code Injection') in mermaid-js mermaid
Description
CVE-2026-41148 is a medium severity vulnerability in the mermaid-js mermaid JavaScript tool that allows CSS injection due to improper sanitization of user-controlled style strings. Affected versions include all versions prior to 10. 9. 6 and versions from 11. 0. 0-alpha. 1 up to but not including 11. 15. 0. The vulnerability arises because classDef values are captured with an unrestricted regex and then inserted unsanitized into CSS styles, enabling attackers to inject arbitrary CSS rules.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mermaid-js mermaid versions <=10.9.5 and 11.0.0-alpha.1 through 11.12.0 are vulnerable to CSS injection due to improper sanitization of classDef style strings. The vulnerability occurs because the regex capturing classDef values matches everything up to a newline without restriction, allowing a closing brace to terminate the CSS selector and inject new CSS rules. These injected rules can be used for page defacement, user tracking, and DOM attribute exfiltration. The vulnerability is tracked as CWE-94 (Improper Control of Generation of Code). Fixed versions are 10.9.6 and 11.15.0. A temporary mitigation is to set "securityLevel" to "sandbox" to render diagrams in a sandboxed iframe, preventing exploitation.
Potential Impact
Exploitation of this vulnerability allows an attacker to inject arbitrary CSS into pages rendering mermaid diagrams, which can result in page defacement, user tracking through CSS url() callbacks, and exfiltration of DOM attributes. The CVSS 4.0 base score is 5.3 (medium severity), indicating a moderate impact with network attack vector, low complexity, no privileges required, and user interaction needed.
Mitigation Recommendations
A fix is available in mermaid versions 10.9.6 and 11.15.0. Users and developers should upgrade to these versions to remediate the vulnerability. If immediate upgrading is not possible, setting the "securityLevel" configuration option to "sandbox" will mitigate the issue by rendering diagrams within a sandboxed iframe, preventing CSS injection. There is no indication that no action is required or that the issue is already mitigated without these steps.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T12:59:15.739Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a10d8e4e1370fbb485de040
Added to database: 5/22/2026, 10:29:56 PM
Last enriched: 5/22/2026, 10:45:34 PM
Last updated: 5/23/2026, 2:32:00 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.