XSS in Lukilabs Beautiful-mermaid
CVE-2026-26226
beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef dire…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.005 (39.3th percentile) — read the EPSS interpretation.
Affected products
- Lukilabs Beautiful-mermaid — versions 0
Weakness classification (CWE)
References
- disclosure@vulncheck.com (release-notes, patch)
- disclosure@vulncheck.com (issue-tracking)
- disclosure@vulncheck.com (technical-description, exploit)
- disclosure@vulncheck.com (third-party-advisory)