Can you explain this vulnerability to me?

CVE-2026-41159 is a vulnerability in the Mermaid JavaScript diagram tool that allows attackers to inject malicious CSS through certain configuration options like fontFamily, themeCSS, and altFontFamily.

This injected CSS bypasses Mermaid's default scoping mechanisms, meaning the malicious styles can affect the entire webpage, not just the Mermaid diagrams.

The vulnerability exploits how the stylis CSS processor handles scope references and global at-rules, enabling attackers to perform page defacement or exfiltrate data via CSS selectors.

It affects Mermaid versions 11.0.0-alpha.1 through 11.14.0 and 10.9.5 or earlier, and has been fixed in versions 11.15.0 and 10.9.6.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to page defacement, where an attacker changes the appearance of your webpage by injecting malicious CSS.

It also allows attackers to exfiltrate data from the Document Object Model (DOM) by using CSS :has() selectors, potentially leaking sensitive information.

The exploit requires no special privileges or user interaction, making it easier for attackers to abuse.

Overall, it poses a moderate security risk with a CVSS score of 5.3.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves CSS injection through Mermaid's configuration options such as fontFamily, themeCSS, and altFontFamily. Detection involves checking the Mermaid versions in use and inspecting configuration settings for unsafe CSS injection.

Specifically, you can verify the Mermaid version to see if it falls within the vulnerable range (versions 11.0.0-alpha.1 through 11.14.0 and 10.9.5 or earlier).

• Check Mermaid version in your project dependencies or package.json.
• Search for usage of fontFamily, themeCSS, or altFontFamily configuration options in your Mermaid setup.
• Look for injected CSS that uses :not(&) selectors or global at-rules like @font-face, @keyframes, or @counter-style in rendered pages.

There are no specific commands provided in the resources, but typical commands might include:

• npm list mermaid-js or yarn list mermaid-js to check installed Mermaid version.
• grep or search your codebase for fontFamily, themeCSS, altFontFamily to identify potentially unsafe configurations.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, the primary recommendation is to upgrade Mermaid to a patched version.

• Upgrade Mermaid to version 10.9.6 or later, or 11.15.0 or later, where the vulnerability is fixed.
• If upgrading is not immediately possible, configure Mermaid to use the secure config value or enable the "securityLevel": "sandbox" option to restrict CSS injection.

These steps help prevent malicious CSS from escaping Mermaid's default scoping and protect against page defacement or data exfiltration.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in Mermaid allows CSS injection that can lead to page defacement and DOM attribute exfiltration via CSS selectors. This could potentially expose sensitive information or affect the integrity of web pages.

Such unauthorized data exfiltration and page manipulation could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and maintaining data integrity.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Useful 0 Not Useful 0