DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26226: Siren Song: XSS via Attribute Injection in Beautiful Mermaid

#security #cve #cybersecurity

Siren Song: XSS via Attribute Injection in Beautiful Mermaid

Vulnerability ID: CVE-2026-26226
CVSS Score: 5.3
Published: 2026-02-13

A classic case of 'trust but don't verify' in the beautiful-mermaid npm package allows attackers to turn harmless flowcharts into weaponized vectors for Cross-Site Scripting (XSS). By injecting malicious payloads into Mermaid style definitions, adversaries can break out of SVG attributes and execute arbitrary JavaScript in the victim's browser context. The vulnerability stems from insecure template literal interpolation in src/renderer.ts, proving once again that string concatenation is the enemy of security.

TL;DR

Improper sanitization in beautiful-mermaid < 0.1.3 allows SVG attribute injection via crafted Mermaid diagrams. Attackers can execute arbitrary JavaScript (XSS) by adding malicious strings to style or classDef directives.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-79 (Cross-Site Scripting)
  • CVSS v4.0: 5.3 (Medium)
  • Attack Vector: Network (Stored XSS via Diagram)
  • Exploit Status: Proof of Concept Available
  • Affected Component: src/renderer.ts (renderNodeShape)
  • Patch Date: 2026-02-13

Affected Systems

  • beautiful-mermaid (npm package)
  • beautiful-mermaid: < 0.1.3 (Fixed in: 0.1.3)

Code Analysis

Commit: 68f3ab8

Fix SVG attribute injection by escaping inline style values

-  const fill = inlineStyle?.fill ?? 'var(--_node-fill)'
+  const fill = escapeXml(inlineStyle?.fill ?? 'var(--_node-fill)')
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Regression Test: The patch includes regression tests that effectively serve as a PoC for the attribute injection.

Mitigation Strategies

  • Input Sanitization
  • Content Security Policy (CSP)
  • Library Updates

Remediation Steps:

  1. Identify all projects using beautiful-mermaid via npm list beautiful-mermaid.
  2. Upgrade the package to version 0.1.3: npm install beautiful-mermaid@latest.
  3. Verify the fix by attempting to render a diagram containing special characters in style definitions.
  4. Review other dependencies that perform raw SVG or HTML string generation.

References

Read the full report for CVE-2026-26226 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)