Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/vega-functions@5.3.1
purl pkg:npm/vega-functions@5.3.1
Next non-vulnerable version 6.1.1
Latest non-vulnerable version 6.1.1
Risk 4.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-6gd1-bqau-17gd
Aliases:
CVE-2023-26487
GHSA-w5m3-xh75-mp55
GMS-2023-582
GMS-2023-584
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vega.
5.13.1
Affected by 3 other vulnerabilities.
VCID-7c32-k9j8-v7dy
Aliases:
CVE-2023-26486
GHSA-4vq7-882g-wcg4
GMS-2023-580
GMS-2023-583
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript. This issue has been fixed in version 5.13.1.
5.13.1
Affected by 3 other vulnerabilities.
VCID-mfd1-x3jm-qqbk
Aliases:
CVE-2025-66648
GHSA-m9rg-mr6g-75gm
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the [public API](https://vega.github.io/vega/docs/expressions/)) could be used to run unintentional javascript (XSS).
6.1.1
Affected by 0 other vulnerabilities.
VCID-ny13-p4z1-vygt
Aliases:
CVE-2025-26619
GHSA-rcw3-wmx7-cphr
Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.
5.16.0
Affected by 2 other vulnerabilities.
VCID-skn9-aqg8-xba8
Aliases:
CVE-2025-27793
GHSA-963h-3v39-3pqf
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function.
5.17.0
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T06:34:39.387057+00:00 GitLab Importer Affected by VCID-mfd1-x3jm-qqbk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega-functions/CVE-2025-66648.yml 38.6.0
2026-06-06T05:45:01.300140+00:00 GitLab Importer Affected by VCID-skn9-aqg8-xba8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega-functions/CVE-2025-27793.yml 38.6.0
2026-06-06T05:45:01.040970+00:00 GitLab Importer Affected by VCID-ny13-p4z1-vygt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega-functions/CVE-2025-26619.yml 38.6.0
2026-06-06T03:32:08.287123+00:00 GitLab Importer Affected by VCID-6gd1-bqau-17gd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega-functions/GMS-2023-584.yml 38.6.0
2026-06-06T03:31:40.670836+00:00 GitLab Importer Affected by VCID-7c32-k9j8-v7dy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega-functions/GMS-2023-583.yml 38.6.0