CVE Catalog

CVE-2026-41159

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile - higher than 32% of all known CVEs

Summary

A vulnerability in Mermaid (versions before 10.9.6 and 11.15.0) allows CSS injection outside the diagram scope via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's scope reference handling to bypass automatic scoping, enabling page defacement and DOM attribute exfiltration using CSS :has() selectors.

Risk Assessment

An attacker can deface the web page and exfiltrate sensitive DOM attributes (e.g., CSRF tokens, session data) by injecting malicious CSS, leading to integrity and confidentiality breaches.

Recommendation

Immediately update the Mermaid library to version 10.9.6 or 11.15.0, which fix the CSS injection vulnerability outside the diagram scope.

Original NVD description (English source)

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS