GHSA-39H7-PWV7-RC3X: GHSA-39H7-PWV7-RC3X: DOM-based XSS in Excalidraw via Mermaid Diagram Rendering

📰

GHSA-39H7-PWV7-RC3X: GHSA-39H7-PWV7-RC3X: DOM-based XSS in Excalidraw via Mermaid Diagram Rendering

DEV Community·CVE Reports·about 1 month ago

#excalidrawv0181releasenotes #commit #security #cve #excalidraw #mermaid

Reading 0:00

15s threshold

GHSA-39H7-PWV7-RC3X: DOM-based XSS in Excalidraw via Mermaid Diagram Rendering Vulnerability ID: GHSA-39H7-PWV7-RC3X CVSS Score: 7.5 Published: 2026-04-24 Excalidraw suffers from a DOM-based Cross-Site Scripting (XSS) vulnerability caused by an upstream flaw in the Mermaid diagramming library. The issue occurs during the dimension calculation of KaTeX-rendered labels, leading to arbitrary JavaScript execution when a malicious diagram is rendered in the browser. TL;DR DOM-based XSS in Excalidraw resulting from un-sanitized KaTeX label rendering in the upstream Mermaid engine.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-39H7-PWV7-RC3X: GHSA-39H7-PWV7-RC3X: DOM-based XSS in Excalidraw via Mermaid Diagram Rendering