XSS in Lukilabs Beautiful-mermaid

CVE-2026-26226

beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef dire…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.005 (39.3th percentile) — read the EPSS interpretation.

Affected products

Weakness classification (CWE)

References