beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS)
- Severity:
- Medium
Description
beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams.
Recommendation
Update the beautiful-mermaid package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.1.3
- Patched version(s): 0.1.3
References
- GHSA-cgmm-x5ww-q5cr
- neo.projectdiscovery.io
- www.vulncheck.com
- CVE-2026-26226
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
- Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948
- tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload - CVE-2022-25854
- Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas - Vulnerability
- Tags:
- npm
- beautiful-mermaid
Anything's wrong? Let us know Last updated on February 13, 2026