A vulnerability was found in mermaid-js mermaid up to 10.9.5/11.14.x . It has been rated as critical . The impacted element is an unknown function of the component Setting Handler . Performing a manipulation results in code injection. This vulnerability is known as CVE-2026-41149 . Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is advised.