Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the "fontFamily", "themeCSS", and "altFontFamily" configuration options. Live demo: "mermaid.live" (https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B The injected CSS exploits stylis's "&" (scope reference) handling. ":not(&)" escapes the "#mermaid-xxx" automatic scoping, applying styles to all page elements. Global at-rules ("@font-face", "@keyframes", "@counter-style") are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS ":has()" selectors. Patches - "v11.15.0" (https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see "64769738d5b59211e1decb471ffbaca8afec51aa" (https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - "v10.9.6" (https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see "a9d9f0d8eb790349121508688cd338253fd80d76" (https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) Workarounds If you can't upgrade mermaid, you can set the ""secure"" (https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify "fontFamily", "themeCSS", "altFontFamily", and "themeVariables". Setting """securityLevel": "sandbox""" (https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. Credits Reported by @zsxsoft on behalf of @KeenSecurityLab