Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection

Description

Under the default configuration, Mermaid state diagram’s classDef allow DOM injection that escapes the SVG, although <script> tags are removed, preventing XSS.

Recommendation

Update the mermaid package to the latest compatible version. Followings are version details:

• Affected version(s): **<= 10.9.5

  >= 11.0.0-alpha.1, <= 11.14.0**

• Patched version(s): **10.9.6

  11.15.0**

References

• GHSA-ghcm-xqfw-q4vr
• mermaid.js.org
• CVE-2026-41149
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection - CVE-2026-41148
• Mermaid: Improper sanitization of configuration leads to CSS injection - CVE-2026-41159
• jsPDF has HTML Injection in New Window paths - CVE-2026-31938
• Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers - CVE-2026-27902

You might also like:

How do hackers hack websites?

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:

npm

mermaid