CVE-2026-41148: Mermaid.js CSS Injection Flaw in classDefs Parser Exposes Diagram Platforms

A security vulnerability has been uncovered in Mermaid.js, a popular JavaScript library used across development environments, wikis, and documentation platforms to render diagrams from text definitions. The flaw, tracked as CVE-2026-41148 (GHSA-xcj9-5m2h-648r), allows improper sanitization of `classDefs` in diagrams, enabling CSS injection attacks through the createCssStyles parser. State diagrams and any diagram type that routes user-controlled style strings through this parser are directly affected.

The root cause lies in an unrestricted regex used to capture `classDef` values in Mermaid versions 11.14.0 and earlier. This design weakness permits malicious CSS definitions embedded in diagram source code to execute in victim browsers, potentially leading to style-based information disclosure or UI manipulation. The vulnerability was patched in version 11.15.0, which introduces proper bounds on the regex pattern to prevent injection. OpenSSF Scorecard metrics indicate the project maintains reasonable security hygiene, though the flaw persisted through the vulnerable version range.

Developers integrating Mermaid into platforms accepting user-submitted diagram definitions face the highest exposure. Documentation systems, collaborative wikis, and any service where external users can define diagram markup should prioritize updating their dependency to v11.15.0 or later. Security teams should audit any direct ingestion of untrusted Mermaid source code and consider implementing output sanitization as an additional layer of defense, given the complexity of CSS injection attack chains.

The disclosure highlights persistent risks in client-side text-to-diagram rendering libraries, where parser complexity often outpaces input validation assumptions. Platforms relying on Mermaid for visual communication should treat this update as mandatory rather than routine dependency maintenance.