Bug 2480864 (CVE-2026-41149) - CVE-2026-41149 mermaid: Mermaid: HTML injection via classDef directive in state diagrams
Summary: CVE-2026-41149 mermaid: Mermaid: HTML injection via classDef directive in sta...
Keywords:
Status: NEW
Alias: CVE-2026-41149
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2489251 2489252 2489253 2489254 2489255 2489257 2489258 2489261 2489263 2489250 2489256 2489259 2489260 2489262 2489264 2489265
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-22 23:01 UTC by OSIDB Bzimport
Modified: 2026-06-19 05:06 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-22 23:01:57 UTC
Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state diagrams permits DOM injection that escapes the SVG context. However, <script> tags are stripped, which prevents cross-site scripting (XSS). This issue has been fixed in versions 10.9.6 and 11.15.0. If developers are unable to immediately upgrade, they can work around this issue by setting "securityLevel": "sandbox", which prevents the issue by rendering the mermaid diagram in a sandboxed <iframe>.


Note You need to log in before you can comment on or make changes to this bug.