VulnerableCode Package Details - pkg:npm/vega@5.23.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-mfcu-u5an-j3fm	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vega.	CVE-2023-26487 GHSA-w5m3-xh75-mp55 GMS-2023-582 GMS-2023-584
VCID-z3vb-m3pm-r3bx	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript. This issue has been fixed in version 5.13.1.	CVE-2023-26486 GHSA-4vq7-882g-wcg4 GMS-2023-580 GMS-2023-583

Vulnerability

Summary

Aliases

VCID-mfcu-u5an-j3fm

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vega.

CVE-2023-26487
GHSA-w5m3-xh75-mp55
GMS-2023-582
GMS-2023-584

VCID-z3vb-m3pm-r3bx

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript. This issue has been fixed in version 5.13.1.

CVE-2023-26486
GHSA-4vq7-882g-wcg4
GMS-2023-580
GMS-2023-583

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T21:35:14.793509+00:00	GHSA Importer	Fixing	VCID-z3vb-m3pm-r3bx	https://github.com/advisories/GHSA-4vq7-882g-wcg4	38.6.0
2026-05-31T21:35:14.685887+00:00	GHSA Importer	Fixing	VCID-mfcu-u5an-j3fm	https://github.com/advisories/GHSA-w5m3-xh75-mp55	38.6.0
2026-05-31T11:07:12.085316+00:00	GithubOSV Importer	Fixing	VCID-mfcu-u5an-j3fm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-w5m3-xh75-mp55/GHSA-w5m3-xh75-mp55.json	38.6.0
2026-05-31T11:07:08.779209+00:00	GithubOSV Importer	Fixing	VCID-z3vb-m3pm-r3bx	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-4vq7-882g-wcg4/GHSA-4vq7-882g-wcg4.json	38.6.0
2026-05-30T20:59:53.530360+00:00	GitLab Importer	Fixing	VCID-z3vb-m3pm-r3bx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega/GMS-2023-580.yml	38.6.0
2026-05-30T20:59:53.344000+00:00	GitLab Importer	Fixing	VCID-mfcu-u5an-j3fm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega/GMS-2023-582.yml	38.6.0