Nixpkgs security tracker

Untriaged

Permalink CVE-2026-41149

5.3 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): Low (L)
Subsequent System Impact Integrity (SI): Low (L)
Subsequent System Impact Availability (SA): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Low (L)
Modified Subsequent System Impact Integrity (MSI): Low (L)
Modified Subsequent System Impact Availability (MSA): Low (L)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 1 week, 1 day ago Activity log

Created suggestion 1 week, 1 day ago

Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state diagrams permits DOM injection that escapes the SVG context. However, <script> tags are stripped, which prevents cross-site scripting (XSS). This issue has been fixed in versions 10.9.6 and 11.15.0. If developers are unable to immediately upgrade, they can work around this issue by setting "securityLevel": "sandbox", which prevents the issue by rendering the mermaid diagram in a sandboxed <iframe>.

References

https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr x_refsource_CONFIRM
https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056 x_refsource_MISC
https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3 x_refsource_MISC

Affected products

mermaid

==>= 11.0.0-alpha.1, < 11.15.0
==< 10.9.6

Matching in nixpkgs

pkgs.mermaid-cli

Generation of diagrams from text in a similar manner as markdown

nixos-unstable 11.12.0
- nixpkgs-unstable 11.12.0
- nixos-unstable-small 11.12.0
nixos-25.11 11.12.0
- nixos-25.11-small 11.12.0
- nixpkgs-25.11-darwin 11.12.0

pkgs.mdbook-mermaid

Preprocessor for mdbook to add mermaid.js support

nixos-unstable 0.17.0
- nixpkgs-unstable 0.17.0
- nixos-unstable-small 0.17.0
nixos-25.11 0.16.2
- nixos-25.11-small 0.16.2
- nixpkgs-25.11-darwin 0.16.2

pkgs.mermaid-filter

Pandoc filter for creating diagrams in mermaid syntax blocks in markdown docs

nixos-unstable 1.4.7
- nixpkgs-unstable 1.4.7
- nixos-unstable-small 1.4.7
nixos-25.11 1.4.7
- nixos-25.11-small 1.4.7
- nixpkgs-25.11-darwin 1.4.7

pkgs.python312Packages.sphinxcontrib-mermaid

Mermaid diagrams in yours sphinx powered docs

nixos-25.11 1.0.0
- nixos-25.11-small 1.0.0
- nixpkgs-25.11-darwin 1.0.0

pkgs.python313Packages.sphinxcontrib-mermaid

Mermaid diagrams in yours sphinx powered docs

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 1.0.0
- nixos-25.11-small 1.0.0
- nixpkgs-25.11-darwin 1.0.0

pkgs.python314Packages.sphinxcontrib-mermaid

Mermaid diagrams in yours sphinx powered docs

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0

pkgs.python312Packages.mkdocs-mermaid2-plugin

MkDocs plugin for including mermaid graphs in markdown sources

nixos-25.11 mermaid2-plugin-1.2.3
- nixos-25.11-small mermaid2-plugin-1.2.3
- nixpkgs-25.11-darwin mermaid2-plugin-1.2.3

pkgs.python313Packages.mkdocs-mermaid2-plugin

MkDocs plugin for including mermaid graphs in markdown sources

nixos-unstable mermaid2-plugin-1.2.3
- nixpkgs-unstable mermaid2-plugin-1.2.3
- nixos-unstable-small mermaid2-plugin-1.2.3
nixos-25.11 mermaid2-plugin-1.2.3
- nixos-25.11-small mermaid2-plugin-1.2.3
- nixpkgs-25.11-darwin mermaid2-plugin-1.2.3

pkgs.python314Packages.mkdocs-mermaid2-plugin

MkDocs plugin for including mermaid graphs in markdown sources

nixos-unstable mermaid2-plugin-1.2.3
- nixpkgs-unstable mermaid2-plugin-1.2.3
- nixos-unstable-small mermaid2-plugin-1.2.3

pkgs.tree-sitter-grammars.tree-sitter-mermaid

Tree-sitter grammar for mermaid

nixos-unstable 0-unstable-2024-04-22
- nixpkgs-unstable 0-unstable-2024-04-22
- nixos-unstable-small 0-unstable-2024-04-22

pkgs.vimPlugins.nvim-treesitter-parsers.mermaid

Tree-sitter grammar for mermaid

nixos-unstable 0.0.0+rev=90ae195
- nixpkgs-unstable 0.0.0+rev=90ae195
- nixos-unstable-small 0.0.0+rev=90ae195
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.vscode-extensions.bierner.markdown-mermaid

Adds Mermaid diagram and flowchart support to VS Code's builtin markdown preview

nixos-unstable 1.32.0
- nixpkgs-unstable 1.32.0
- nixos-unstable-small 1.32.0
nixos-25.11 1.29.0
- nixos-25.11-small 1.29.0
- nixpkgs-25.11-darwin 1.29.0

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-mermaid

Python bindings for tree-sitter-mermaid

nixos-unstable 0+unstable20240422
- nixpkgs-unstable 0+unstable20240422
- nixos-unstable-small 0+unstable20240422

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-mermaid

Python bindings for tree-sitter-mermaid

nixos-unstable 0+unstable20240422
- nixpkgs-unstable 0+unstable20240422
- nixos-unstable-small 0+unstable20240422

Package maintainers

@xrelkd xrelkd
@matthiasbeyer Matthias Beyer <mail@beyermatthias.de>
@ysndr Yannik Sander <me@ysndr.de>
@ners ners <ners@gmx.ch>
@adfaure Adrien Faure <adfaure@pm.me>
@stepbrobd Yifei Sun <ysun@hey.com>
@A-jay98 Ali Jamadi <ali@jamadi.me>
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
@aciceri Andrea Ciceri <andrea.ciceri@autistici.org>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.mermaid-cli

pkgs.mdbook-mermaid

pkgs.mermaid-filter

pkgs.python312Packages.sphinxcontrib-mermaid

pkgs.python313Packages.sphinxcontrib-mermaid

pkgs.python314Packages.sphinxcontrib-mermaid

pkgs.python312Packages.mkdocs-mermaid2-plugin

pkgs.python313Packages.mkdocs-mermaid2-plugin

pkgs.python314Packages.mkdocs-mermaid2-plugin

pkgs.tree-sitter-grammars.tree-sitter-mermaid

pkgs.vimPlugins.nvim-treesitter-parsers.mermaid

pkgs.vscode-extensions.bierner.markdown-mermaid

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-mermaid

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-mermaid

Package maintainers