RCE in Mermaid-js Mermaid

CVE-2026-41149

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuratio…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (18.6th percentile) — read the EPSS interpretation.