What is CVE-2026-41159?

CVE-2026-41159 is a medium-severity vulnerability in Mermaid-js Mermaid, classified under Code Injection. CVSS score: 5.3/10. Published 2026-05-29.

How severe is CVE-2026-41159?

Medium severity. CVSS v3 base score is 5.3 out of 10.

RCE in Mermaid-js Mermaid

CVE-2026-41159

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (18.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

Affected products

Mermaid-js Mermaid — versions >= 11.0.0-alpha.1, < 11.15.0, < 10.9.6
Mermaid_project Mermaid

Weakness classification (CWE)

CWE-94 — Code Injection

References

security-advisories@github.com (x_refsource_CONFIRM, Third Party Advisory)
security-advisories@github.com (Patch, x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC, Release Notes)
security-advisories@github.com (x_refsource_MISC, Release Notes)

Frequently asked questions

What is CVE-2026-41159?: CVE-2026-41159 is a medium-severity vulnerability in Mermaid-js Mermaid, classified under Code Injection. CVSS score: 5.3/10. Published 2026-05-29.
How severe is CVE-2026-41159?: Medium severity. CVSS v3 base score is 5.3 out of 10.