Context-Inappropriate Capability
Medium
- Confidence
- 95% confidence
- Finding
- When Mermaid is enabled, the script imports executable JavaScript from a public CDN into a headless browser context. A local Markdown-to-PDF tool does not need remote code execution to function, so this adds supply-chain and network exposure: a compromised CDN response, dependency substitution, or unexpected outbound access could execute arbitrary script during document rendering.
