Description
beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without proper escaping, allowing crafted input to break out of an attribute context and inject arbitrary SVG elements/attributes into the rendered output. When the generated SVG is embedded in a web page, this can result in script execution in the context of the embedding origin.
Published: 2026-02-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) via SVG Attribute Injection
Action: Upgrade
AI Analysis

Impact

Previous releases of Beautiful‑Mermaid allow a user‑controlled Mermaid diagram to inject arbitrary SVG attributes or elements when the style and classDef directives are rendered, because the library does not escape values interpolated into SVG attribute contexts. This unsanitized injection can break out of an attribute value, resulting in script execution inside the context of any web page that embeds the produced SVG. The weakness corresponds to input validation failure (CWE‑79).

Affected Systems

The vulnerable product is Beautiful‑Mermaid from Lukilabs, versions prior to 0.1.3. No other vendors or product variants are listed as affected.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate impact. The EPSS score is below one percent, suggesting a low current likelihood of exploitation. The vulnerability is not present in the CISA Known Exploit Vulnerabilities catalog. Exploit requires an attacker to supply a crafted Mermaid diagram that is rendered by an application or user that embeds the resulting SVG, implying that remote exploitation would need a vulnerable host that processes user‑controlled Mermaid content.

Generated by OpenCVE AI on April 17, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Beautiful‑Mermaid to version 0.1.3 or later to remove the SVG attribute injection flaw.
  • If an upgrade is not immediately possible, ensure that all Mermaid diagrams are generated and rendered only from trusted or sanitized sources; do not allow arbitrary user input to reach the rendering engine.
  • Implement a Content Security Policy that restricts inline scripts and disallows execution of scripts within embedded SVGs to mitigate any residual XSS risk.

Generated by OpenCVE AI on April 17, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cgmm-x5ww-q5cr beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS)
History

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Lukilabs
Lukilabs beautiful-mermaid
Vendors & Products Lukilabs
Lukilabs beautiful-mermaid

Fri, 13 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without proper escaping, allowing crafted input to break out of an attribute context and inject arbitrary SVG elements/attributes into the rendered output. When the generated SVG is embedded in a web page, this can result in script execution in the context of the embedding origin.
Title beautiful-mermaid < 0.1.3 SVG Attribute Injection
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Lukilabs Beautiful-mermaid
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-02-13T16:58:09.961Z

Reserved: 2026-02-11T20:08:07.945Z

Link: CVE-2026-26226

cve-icon Vulnrichment

Updated: 2026-02-13T16:58:06.221Z

cve-icon NVD

Status : Deferred

Published: 2026-02-13T17:16:14.073

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses