2483294 – (CVE-2026-41159) CVE-2026-41159 mermaid: Mermaid: Information disclosure and page defacement via CSS injection

Bug 2483294 (CVE-2026-41159) - CVE-2026-41159 mermaid: Mermaid: Information disclosure and page defacement via CSS injection

Summary: CVE-2026-41159 mermaid: Mermaid: Information disclosure and page defacement v...

Keywords:
Status:	NEW
Alias:	CVE-2026-41159
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-29 15:01 UTC by OSIDB Bzimport
Modified:	2026-06-17 10:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-29 15:01:26 UTC

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0,  Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0.

Note You need to log in before you can comment on or make changes to this bug.