CVE-2026-41150
EUVD-2026-3332529.05.2026, 15:16
Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| mermaid_project | mermaid | 𝑥 < 10.9.6 |
| mermaid_project | mermaid | 11.0.0 ≤ 𝑥 < 11.15.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References