VulnerableCode Package Details - pkg:npm/vega@5.26.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-mkyf-amf3-mbbe Aliases: CVE-2025-59840 GHSA-7f2v-3qq3-vvjf	Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling `this.foo(this.bar)`, DOM XSS can be achieved. In practice, an accessible gadget like this exists in the global VEGA_DEBUG code. ```js ({ toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName: event.view.console.log, _handlers: { undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)' }, _handlerIndex: event.view.eval })+1 ```	6.2.0 Affected by 0 other vulnerabilities.
VCID-ny13-p4z1-vygt Aliases: CVE-2025-26619 GHSA-rcw3-wmx7-cphr	Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.	5.31.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-skn9-aqg8-xba8 Aliases: CVE-2025-27793 GHSA-963h-3v39-3pqf	Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function.	5.32.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-mkyf-amf3-mbbe
Aliases:
CVE-2025-59840
GHSA-7f2v-3qq3-vvjf

Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling `this.foo(this.bar)`, DOM XSS can be achieved. In practice, an accessible gadget like this exists in the global VEGA_DEBUG code. ```js ({ toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName: event.view.console.log, _handlers: { undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)' }, _handlerIndex: event.view.eval })+1 ```

6.2.0
Affected by 0 other vulnerabilities.

VCID-ny13-p4z1-vygt
Aliases:
CVE-2025-26619
GHSA-rcw3-wmx7-cphr

Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.

5.31.0
Affected by 2 other vulnerabilities.

VCID-skn9-aqg8-xba8
Aliases:
CVE-2025-27793
GHSA-963h-3v39-3pqf

Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function.

5.32.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-fkxw-kvr8-tyeg	Vega allows Cross-site Scripting via the vlSelectionTuples function The `vlSelectionTuples` function can be used to call JavaScript functions, leading to XSS.	CVE-2025-25304 GHSA-mp7w-mhcv-673j

Vulnerability

Summary

Aliases

VCID-fkxw-kvr8-tyeg

Vega allows Cross-site Scripting via the vlSelectionTuples function The `vlSelectionTuples` function can be used to call JavaScript functions, leading to XSS.

CVE-2025-25304
GHSA-mp7w-mhcv-673j

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:19:46.684760+00:00	GitLab Importer	Affected by	VCID-mkyf-amf3-mbbe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega/CVE-2025-59840.yml	38.6.0
2026-06-06T05:45:00.258398+00:00	GitLab Importer	Affected by	VCID-ny13-p4z1-vygt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega/CVE-2025-26619.yml	38.6.0
2026-06-06T05:44:55.682529+00:00	GitLab Importer	Affected by	VCID-skn9-aqg8-xba8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega/CVE-2025-27793.yml	38.6.0
2026-06-04T17:10:54.249632+00:00	GithubOSV Importer	Fixing	VCID-fkxw-kvr8-tyeg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-mp7w-mhcv-673j/GHSA-mp7w-mhcv-673j.json	38.6.0
2026-06-04T16:23:19.998619+00:00	GitLab Importer	Fixing	VCID-fkxw-kvr8-tyeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega/CVE-2025-25304.yml	38.6.0