Browse all 5 CVE security advisories affecting mermaid-js. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Mermaid-js is a JavaScript-based diagramming and charting tool that enables developers to create visualizations through text-based descriptions. Historically, it has been susceptible to cross-site scripting (XSS) vulnerabilities due to improper input sanitization in rendering functions, with several instances allowing remote code execution through malicious diagram definitions. The project has addressed multiple security flaws, including those enabling arbitrary code execution via crafted diagram syntax, though no major public security incidents have been documented. Despite these vulnerabilities, the tool remains widely adopted for documentation and visualization purposes, with ongoing efforts to improve security through input validation and sandboxed rendering environments.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-54881 | Mermaid improperly sanitizes of sequence diagram labels leading to XSS — mermaidCWE-79 | 5.4AI | MediumAI | 2025-08-19 |
| CVE-2025-54880 | Mermaid does not properly sanitize architecture diagram iconText leading to XSS — mermaidCWE-79 | 5.4AI | MediumAI | 2025-08-19 |
| CVE-2024-38527 | Cross-site Scripting in ZenUML — zenuml-coreCWE-79 | 5.4 | Medium | 2024-06-26 |
| CVE-2022-31108 | Arbitrary `CSS` injection into the generated graph affecting the container HTML in mermaid.js — mermaidCWE-74 | 4.1 | Medium | 2022-06-28 |
| CVE-2021-43861 | Incorrect sanitisation function leads to `XSS` — mermaidCWE-79 | 7.2 | High | 2021-12-30 |
This page lists every published CVE security advisory associated with mermaid-js. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.