Hi,
This weekend I played hxpctf, during competition there was a challenge called hackme. It was a Docker with codimd. My solution was unintended: I use google analytics to exploit a stored xss bug in mermaid.
Here is my PoC

The bug seems to be known by the mermaid developers (issue).
I tryed it on hackmd.io and it works, too.

Hope you can fix soon!

P.S. Now I'm going to reopen the issue in mermaid repository. This is also a duplicate, but the other issues are marked as "solved".

Thanks
Alessandro Mizzaro