Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Beautiful Mermaid diagrams can inject malicious code into web pages
CVE-2026-26226
GHSA-cgmm-x5ww-q5cr
Summary
Beautiful Mermaid diagrams can be used to inject malicious code into web pages, which can allow an attacker to execute scripts on your site. This is a concern if you're using Beautiful Mermaid to render user-generated diagrams. To fix this, update to Beautiful Mermaid version 0.1.3 or later.
What to do
- Update craftdocs-user beautiful-mermaid to version 0.1.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| craftdocs-user | beautiful-mermaid | <= 0.1.3 | 0.1.3 |
Original title
beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS)
Original description
beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without proper escaping, allowing crafted input to break out of an attribute context and inject arbitrary SVG elements/attributes into the rendered output. When the generated SVG is embedded in a web page, this can result in script execution in the context of the embedding origin.
nvd CVSS4.0
5.3
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://nvd.nist.gov/vuln/detail/CVE-2026-26226
- https://github.com/lukilabs/beautiful-mermaid/commit/68f3ab8c9658e7f4a3b749e06a6...
- https://github.com/advisories/GHSA-cgmm-x5ww-q5cr
- https://github.com/lukilabs/beautiful-mermaid/pull/8
- https://github.com/lukilabs/beautiful-mermaid/releases/tag/v0.1.3
- https://neo.projectdiscovery.io/share/cec71dc7-a8eb-417e-b8b4-666644796c1e
- https://www.vulncheck.com/advisories/beautiful-mermaid-svg-attribute-injection
Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026