[Bugcrowd] Stored XSS on app domain via old mermaid library

Description

Note from QA - the issue has been successfully reproduced on both PROD (Connect) and QA (Forge) versions of Macro Pack.

Below is the original description provided by Bugcrowd researcher.

The mermaid diagrams in this app are rendered via the outdated mermaid library (< v11.10.0). There is a known CVE for it: https://security.snyk.io/vuln/SNYK-JS-MERMAID-12027649
As a result, an attacker may trigger a Stored XSS on app domain (http://macro-pack.atlassian0.com ).

Steps to Reproduce

Call the Macro Pack macro (start with /macro somewhere on a page).

Use text as a source and this content as a value (you can also copy the PoC from advisory page):

sequenceDiagram participant A as Alice<img src=x onerror=alert(document.domain)>$$\\text{Alice}$$ A->>John: Hello John, how are you? Alice-)John: See you later!

Save the diagram and reload the page -> XSS fires.

Activity

Show:

Daniel Siara 13 March 2026, 11:28

Confirmed fixed in QA env

Automation for Jira 13 March 2026, 09:31

Hello @Daniel Siara,
Change was reviewed and approved.
Task is ready to be deployed to QA.
Once it is deployed to QA please move ticket to "To Test"

Thank you!

Daniel Siara 12 March 2026, 15:04

@Krzysztof Bogdan ok

Krzysztof Bogdan 12 March 2026, 15:03

@Daniel Siara Please take a look into this

Released

Details

Priority

Highest

Created

4 March 2026, 12:06

Updated

16 March 2026, 14:33

Created: 4 March 2026, 11:06 Updated: 16 March 2026, 13:33

Delete this comment?

Delete this attachment?

Unlink this work item?