Mermaid 11.15.0 Patches CSS Injection via themeCSS and fontFamily — CVE-2026-41159

A critical CSS injection vulnerability has been identified in Mermaid, the widely-used open-source diagram and charting library. Tracked as CVE-2026-41159 (GHSA-87f9-hvmw-gh4p), the flaw stems from improper sanitization of user-supplied configuration options, allowing injected styles to apply beyond the boundaries of rendered diagrams. The vulnerability affects the `fontFamily`, `themeCSS`, and `altFontFamily` configuration parameters, which Mermaid accepts without sufficient filtering. A live demonstration of the exploit has been published via the official Mermaid Live editor at mermaid.live.

The vulnerability was remediated in version 11.15.0, with the update representing a minor patch over the previous release (11.14.0). Mermaid's library maintains an OpenSSF Scorecard rating, reflecting its broad adoption across software development environments, documentation platforms, and collaborative tooling. The library is embedded in thousands of projects, making the exposure window significant for any deployment that processes untrusted input through Mermaid's configuration pipeline. Users who render diagrams from external or user-controlled sources face elevated risk, as the injection can be triggered without direct code access.

The broader implications extend to any platform where Mermaid is integrated as a rendering service, including wikis, bug trackers, design documentation systems, and note-taking applications. Security teams should verify whether their implementations pass unsanitized user input into Mermaid's configuration options and prioritize updating to 11.15.0 or later. In environments where immediate patching is not feasible, input validation and Content Security Policy enforcement can reduce exploitability. The NVD entry for CVE-2026-41159 remains under review, and further technical specifics are expected as the disclosure matures.