RCE in Mermaid-js Mermaid

CVE-2026-41148

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and prior, in addition to 11.0.0-alpha.1 through 11.12.0 are vulnerable to CSS injection through improper sanitization…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (22.5th percentile) — read the EPSS interpretation.

Affected products

Mermaid-js Mermaid — versions >= 11.0.0-alpha.1, < 11.15.0, < 10.9.6

Weakness classification (CWE)

CWE-94 — Code Injection

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)