Search for packages
| purl | pkg:npm/vega@3.2.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5ect-9c97-tyak
Aliases: CVE-2020-26296 GHSA-r2qc-w64x-6j54 |
Cross-site Scripting Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. |
Affected by 6 other vulnerabilities. |
|
VCID-6gd1-bqau-17gd
Aliases: CVE-2023-26487 GHSA-w5m3-xh75-mp55 GMS-2023-582 GMS-2023-584 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vega. |
Affected by 4 other vulnerabilities. |
|
VCID-7c32-k9j8-v7dy
Aliases: CVE-2023-26486 GHSA-4vq7-882g-wcg4 GMS-2023-580 GMS-2023-583 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript. This issue has been fixed in version 5.13.1. |
Affected by 4 other vulnerabilities. |
|
VCID-fkxw-kvr8-tyeg
Aliases: CVE-2025-25304 GHSA-mp7w-mhcv-673j |
Vega allows Cross-site Scripting via the vlSelectionTuples function The `vlSelectionTuples` function can be used to call JavaScript functions, leading to XSS. |
Affected by 3 other vulnerabilities. |
|
VCID-mkyf-amf3-mbbe
Aliases: CVE-2025-59840 GHSA-7f2v-3qq3-vvjf |
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling `this.foo(this.bar)`, DOM XSS can be achieved. In practice, an accessible gadget like this exists in the global VEGA_DEBUG code. ```js ({ toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName: event.view.console.log, _handlers: { undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)' }, _handlerIndex: event.view.eval })+1 ``` |
Affected by 0 other vulnerabilities. |
|
VCID-ny13-p4z1-vygt
Aliases: CVE-2025-26619 GHSA-rcw3-wmx7-cphr |
Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. |
Affected by 2 other vulnerabilities. |
|
VCID-rhm4-aqr8-m7fh
Aliases: GHSA-cp47-r258-q626 GMS-2023-581 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in vega. |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-skn9-aqg8-xba8
Aliases: CVE-2025-27793 GHSA-963h-3v39-3pqf |
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||