[GHSA-cgmm-x5ww-q5cr] beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS)

[cai0duque]

Updates

• CVSS v4
• CWEs
• Description

Comments
Increased the Severity (CVSS) to Moderate. The previous assessment underestimated the Subsequent System Impact (SC/SI). Since this is a library likely used to render content in web applications, a successful XSS exploit allows an attacker to hijack user sessions (High Confidentiality impact) and perform actions on behalf of the user (High Integrity impact). Updated the description to explicitly mention the vectors (classDef/style directives).

[Copilot]

Pull request overview

This pull request updates a GitHub Security Advisory (GHSA-cgmm-x5ww-q5cr) for the beautiful-mermaid npm package (CVE-2026-26226), which contains an SVG attribute injection vulnerability leading to cross-site scripting (XSS). The update revises the CVSS v4 scoring to better reflect the impact on subsequent systems (applications using the library), adds CWE-116 to complement the existing CWE-79 classification, and rewrites the vulnerability description to be more specific about attack vectors and impacts.

Changes:

• Updated CVSS v4 score to reflect high confidentiality and integrity impact on subsequent systems (applications using the library) instead of the vulnerable library itself
• Added CWE-116 (Improper Encoding or Escaping of Output) alongside existing CWE-79 (XSS)
• Rewrote description to explicitly mention attack vectors (classDef and style directives) and potential impacts (Account Takeover, session hijacking)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[shelbyc]

Hi @cai0duque, I'm closing the PR because I agree with the CVE description and CVSS provided by my peers at VulnCheck. The CVSS provided, CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N, is typical of cross-site scripting vulnerabilities and the CVE description VulnCheck provided is accurate.