Ghostwire

CVE-2026-41149: Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection

MEDIUM CVSS 5.5 Exploit Available

Published: May 11, 2026 | Last Modified: May 11, 2026

Description

Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection

Ghostwire Analysis — What This Means Practically

Medium CVSS score indicates moderate risk — exploitation requires specific conditions or results in limited impact.
Exploit code is reported to be available, increasing the likelihood of active exploitation.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

References

github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr
github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056
github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3
github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
github.com/mermaid-js/mermaid/releases/tag/v10.9.6
mermaid.js.org/config/schema-docs/config.html#securitylevel
github.com/advisories/GHSA-ghcm-xqfw-q4vr
www.tenable.com/cve/CVE-2026-41149
www.cnnvd.org.cn/home/globalSearch?keyword=CVE-2026-41149