Skip to main content

CVE-2026-41150

MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-05-11 https://github.com/mermaid-js/mermaid GHSA-6m6c-36f7-fhxh
Denial Of Service
Share

Lifecycle Timeline

1
CVE Published
May 11, 2026 - 19:36 nvd
MEDIUM

DescriptionNVD

Impact

Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates.

Example:

gantt
  excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
  DoS :2025-01-01, 1d

mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram).

Patches

This has been patched in:

Workarounds

There are no workarounds available without updating to a newer version of mermaid.

Analysis

Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [excludes attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-41150 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy