{"url":"http://public2.vulnerablecode.io/api/packages/282655?format=json","purl":"pkg:npm/vega@2.5.1","type":"npm","namespace":"","name":"vega","version":"2.5.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.2.0","latest_non_vulnerable_version":"6.2.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53924?format=json","vulnerability_id":"VCID-5ect-9c97-tyak","summary":"Cross-site Scripting\nVega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26296.json","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-26296.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26296","reference_id":"","reference_type":"","scores":[{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.61483","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.61429","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00407","scoring_system":"epss","scoring_elements":"0.61477","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26296"},{"reference_url":"https://github.com/vega/vega/issues/3018","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega/issues/3018"},{"reference_url":"https://github.com/vega/vega/pull/3019","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega/pull/3019"},{"reference_url":"https://github.com/vega/vega/releases/tag/v5.17.3","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega/releases/tag/v5.17.3"},{"reference_url":"https://github.com/vega/vega/security/advisories/GHSA-r2qc-w64x-6j54","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega/security/advisories/GHSA-r2qc-w64x-6j54"},{"reference_url":"https://www.npmjs.com/package/vega","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/vega"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1927486","reference_id":"1927486","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1927486"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26296","reference_id":"CVE-2020-26296","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26296"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79426?format=json","purl":"pkg:npm/vega@5.17.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-6gd1-bqau-17gd"},{"vulnerability":"VCID-7c32-k9j8-v7dy"},{"vulnerability":"VCID-fkxw-kvr8-tyeg"},{"vulnerability":"VCID-mkyf-amf3-mbbe"},{"vulnerability":"VCID-ny13-p4z1-vygt"},{"vulnerability":"VCID-skn9-aqg8-xba8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@5.17.3"}],"aliases":["CVE-2020-26296","GHSA-r2qc-w64x-6j54"],"risk_score":3.9,"exploitability":"0.5","weighted_severity":"7.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5ect-9c97-tyak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44564?format=json","vulnerability_id":"VCID-6gd1-bqau-17gd","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vega.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26487.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26487.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26487","reference_id":"","reference_type":"","scores":[{"value":"0.00354","scoring_system":"epss","scoring_elements":"0.5804","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00354","scoring_system":"epss","scoring_elements":"0.57981","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00354","scoring_system":"epss","scoring_elements":"0.58032","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26487"},{"reference_url":"https://github.com/vega/vega","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega"},{"reference_url":"https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:31:39Z/"}],"url":"https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689"},{"reference_url":"https://github.com/vega/vega/releases/tag/v5.23.0","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:31:39Z/"}],"url":"https://github.com/vega/vega/releases/tag/v5.23.0"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2190159","reference_id":"2190159","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2190159"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26487","reference_id":"CVE-2023-26487","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26487"},{"reference_url":"https://github.com/advisories/GHSA-w5m3-xh75-mp55","reference_id":"GHSA-w5m3-xh75-mp55","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w5m3-xh75-mp55"},{"reference_url":"https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55","reference_id":"GHSA-w5m3-xh75-mp55","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:31:39Z/"}],"url":"https://github.com/vega/vega/security/advisories/GHSA-w5m3-xh75-mp55"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64099?format=json","purl":"pkg:npm/vega@5.23.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fkxw-kvr8-tyeg"},{"vulnerability":"VCID-mkyf-amf3-mbbe"},{"vulnerability":"VCID-ny13-p4z1-vygt"},{"vulnerability":"VCID-skn9-aqg8-xba8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@5.23.0"}],"aliases":["CVE-2023-26487","GHSA-w5m3-xh75-mp55","GMS-2023-582","GMS-2023-584"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6gd1-bqau-17gd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44566?format=json","vulnerability_id":"VCID-7c32-k9j8-v7dy","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nVega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript. This issue has been fixed in version 5.13.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26486.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-26486.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26486","reference_id":"","reference_type":"","scores":[{"value":"0.00369","scoring_system":"epss","scoring_elements":"0.5917","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00369","scoring_system":"epss","scoring_elements":"0.59118","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00369","scoring_system":"epss","scoring_elements":"0.59166","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-26486"},{"reference_url":"https://github.com/vega/vega","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega"},{"reference_url":"https://github.com/vega/vega/releases/tag/v5.23.0","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:31:36Z/"}],"url":"https://github.com/vega/vega/releases/tag/v5.23.0"},{"reference_url":"https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/functions/scale.js#L36-L37","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:31:36Z/"}],"url":"https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/functions/scale.js#L36-L37"},{"reference_url":"https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/scales.js#L6","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:31:36Z/"}],"url":"https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/scales.js#L6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26486","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26486"},{"reference_url":"https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:31:36Z/"}],"url":"https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2190192","reference_id":"2190192","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2190192"},{"reference_url":"https://github.com/advisories/GHSA-4vq7-882g-wcg4","reference_id":"GHSA-4vq7-882g-wcg4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4vq7-882g-wcg4"},{"reference_url":"https://github.com/vega/vega/security/advisories/GHSA-4vq7-882g-wcg4","reference_id":"GHSA-4vq7-882g-wcg4","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:31:36Z/"}],"url":"https://github.com/vega/vega/security/advisories/GHSA-4vq7-882g-wcg4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64099?format=json","purl":"pkg:npm/vega@5.23.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fkxw-kvr8-tyeg"},{"vulnerability":"VCID-mkyf-amf3-mbbe"},{"vulnerability":"VCID-ny13-p4z1-vygt"},{"vulnerability":"VCID-skn9-aqg8-xba8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@5.23.0"}],"aliases":["CVE-2023-26486","GHSA-4vq7-882g-wcg4","GMS-2023-580","GMS-2023-583"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7c32-k9j8-v7dy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56664?format=json","vulnerability_id":"VCID-fkxw-kvr8-tyeg","summary":"Vega allows Cross-site Scripting via the vlSelectionTuples function\nThe `vlSelectionTuples` function can be used to call JavaScript functions, leading to XSS.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-25304","reference_id":"","reference_type":"","scores":[{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39768","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00182","scoring_system":"epss","scoring_elements":"0.39765","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-25304"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/vega/vega","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega"},{"reference_url":"https://github.com/vega/vega/blob/b45cf431cd6c0d0c0e1567f087f9b3b55bc236fa/packages/vega-selections/src/selectionTuples.js#L14","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:43:42Z/"}],"url":"https://github.com/vega/vega/blob/b45cf431cd6c0d0c0e1567f087f9b3b55bc236fa/packages/vega-selections/src/selectionTuples.js#L14"},{"reference_url":"https://github.com/vega/vega/commit/9fb9ea07e27984394e463d286eb73944fa61411e","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:43:42Z/"}],"url":"https://github.com/vega/vega/commit/9fb9ea07e27984394e463d286eb73944fa61411e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-25304","reference_id":"CVE-2025-25304","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-25304"},{"reference_url":"https://github.com/advisories/GHSA-mp7w-mhcv-673j","reference_id":"GHSA-mp7w-mhcv-673j","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mp7w-mhcv-673j"},{"reference_url":"https://github.com/vega/vega/security/advisories/GHSA-mp7w-mhcv-673j","reference_id":"GHSA-mp7w-mhcv-673j","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-14T19:43:42Z/"}],"url":"https://github.com/vega/vega/security/advisories/GHSA-mp7w-mhcv-673j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84127?format=json","purl":"pkg:npm/vega@5.26.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mkyf-amf3-mbbe"},{"vulnerability":"VCID-ny13-p4z1-vygt"},{"vulnerability":"VCID-skn9-aqg8-xba8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@5.26.0"}],"aliases":["CVE-2025-25304","GHSA-mp7w-mhcv-673j"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fkxw-kvr8-tyeg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48362?format=json","vulnerability_id":"VCID-mkyf-amf3-mbbe","summary":"Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable\nVega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling `this.foo(this.bar)`, DOM XSS can be achieved.\n\nIn practice, an accessible gadget like this exists in the global VEGA_DEBUG code.\n\n```js\n({\ntoString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on,\neventName: event.view.console.log,\n_handlers: {\nundefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'\n},\n_handlerIndex: event.view.eval\n})+1\n```","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59840.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59840.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59840","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10313","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10294","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-59840"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/components/renderer/renderer.tsx#L239","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/components/renderer/renderer.tsx#L239"},{"reference_url":"https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/index.tsx#L14-L16","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/index.tsx#L14-L16"},{"reference_url":"https://github.com/vega/vega","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega"},{"reference_url":"https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAB3GgBN6aAMwCADDPg0yWVRplIGmNhBoAvOGhDiJVmQrjQATjRyZ2k9ABU2ZMgA2cAAEAELGJpIyZmTiSAEQaADaoHEIVugm-kHSIMTxDBmYzoUyEsmgcKTimImooJgAnjgZIFABNFAA1rnIzl1prVA0zu1WAL4yDDgKSJitWYEhAPzBAGbxECGowcWFIOMAupOpSOnWSAoKAGI0AfPOueWoKSBVcDV1Dc2tCGwMWz+pFyYgYo1a8nECjYsgOUxmc1aAApgCYAMrFGjiMiod41SjEGhwWSUABqAFEAOIAQQA+gARcmhACqlIJfEoAGEkOJ8hAABI8hRBZyUHDONgmJotSgSKTBPGYAByZzguOqmAJRJJUAkYiClACfiktJgQpF+GADChcDWWLgClQAHJ4nBnJgkWxXLRxMEANTBAAGwQAGmi0cEJMFSM4zFHAwGKTSGUzWWSqXSKQAlNEASQA8kqAJROyam81u3M2gAe6o+msJxMoVXi4yLfoAjAdjscgA","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAB3GgBN6aAMwCADDPg0yWVRplIGmNhBoAvOGhDiJVmQrjQATjRyZ2k9ABU2ZMgA2cAAEAELGJpIyZmTiSAEQaADaoHEIVugm-kHSIMTxDBmYzoUyEsmgcKTimImooJgAnjgZIFABNFAA1rnIzl1prVA0zu1WAL4yDDgKSJitWYEhAPzBAGbxECGowcWFIOMAupOpSOnWSAoKAGI0AfPOueWoKSBVcDV1Dc2tCGwMWz+pFyYgYo1a8nECjYsgOUxmc1aAApgCYAMrFGjiMiod41SjEGhwWSUABqAFEAOIAQQA+gARcmhACqlIJfEoAGEkOJ8hAABI8hRBZyUHDONgmJotSgSKTBPGYAByZzguOqmAJRJJUAkYiClACfiktJgQpF+GADChcDWWLgClQAHJ4nBnJgkWxXLRxMEANTBAAGwQAGmi0cEJMFSM4zFHAwGKTSGUzWWSqXSKQAlNEASQA8kqAJROyam81u3M2gAe6o+msJxMoVXi4yLfoAjAdjscgA"},{"reference_url":"https://vega.github.io/vega/usage/interpreter","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://vega.github.io/vega/usage/interpreter"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125183","reference_id":"1125183","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125183"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2414907","reference_id":"2414907","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2414907"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59840","reference_id":"CVE-2025-59840","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59840"},{"reference_url":"https://github.com/advisories/GHSA-7f2v-3qq3-vvjf","reference_id":"GHSA-7f2v-3qq3-vvjf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7f2v-3qq3-vvjf"},{"reference_url":"https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf","reference_id":"GHSA-7f2v-3qq3-vvjf","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-14T15:59:50Z/"}],"url":"https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71384?format=json","purl":"pkg:npm/vega@6.2.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@6.2.0"}],"aliases":["CVE-2025-59840","GHSA-7f2v-3qq3-vvjf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mkyf-amf3-mbbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56993?format=json","vulnerability_id":"VCID-ny13-p4z1-vygt","summary":"Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter\nIn `vega` 5.30.0 and lower,  `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-26619","reference_id":"","reference_type":"","scores":[{"value":"0.00417","scoring_system":"epss","scoring_elements":"0.62143","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00417","scoring_system":"epss","scoring_elements":"0.62135","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-26619"},{"reference_url":"https://github.com/vega/vega","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega"},{"reference_url":"https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-27T14:19:56Z/"}],"url":"https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c"},{"reference_url":"https://github.com/vega/vega/issues/3984","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-27T14:19:56Z/"}],"url":"https://github.com/vega/vega/issues/3984"},{"reference_url":"https://github.com/vega/vega-lite/issues/9469","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-27T14:19:56Z/"}],"url":"https://github.com/vega/vega-lite/issues/9469"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125181","reference_id":"1125181","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125181"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-26619","reference_id":"CVE-2025-26619","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-26619"},{"reference_url":"https://github.com/advisories/GHSA-rcw3-wmx7-cphr","reference_id":"GHSA-rcw3-wmx7-cphr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rcw3-wmx7-cphr"},{"reference_url":"https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr","reference_id":"GHSA-rcw3-wmx7-cphr","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-27T14:19:56Z/"}],"url":"https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84619?format=json","purl":"pkg:npm/vega@5.31.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mkyf-amf3-mbbe"},{"vulnerability":"VCID-skn9-aqg8-xba8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@5.31.0"}],"aliases":["CVE-2025-26619","GHSA-rcw3-wmx7-cphr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ny13-p4z1-vygt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44561?format=json","vulnerability_id":"VCID-rhm4-aqr8-m7fh","summary":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in vega.","references":[{"reference_url":"https://github.com/vega/vega","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega"},{"reference_url":"https://github.com/vega/vega/commit/692327013eb4dd5adec0c47a620181af1b135e2a","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega/commit/692327013eb4dd5adec0c47a620181af1b135e2a"},{"reference_url":"https://github.com/vega/vega/commits/v4.5.1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega/commits/v4.5.1"},{"reference_url":"https://github.com/vega/vega/commits/v5.4.1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega/commits/v5.4.1"},{"reference_url":"https://github.com/vega/vega/pull/1892","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega/pull/1892"},{"reference_url":"https://github.com/advisories/GHSA-cp47-r258-q626","reference_id":"GHSA-cp47-r258-q626","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cp47-r258-q626"},{"reference_url":"https://github.com/vega/vega/security/advisories/GHSA-cp47-r258-q626","reference_id":"GHSA-cp47-r258-q626","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega/security/advisories/GHSA-cp47-r258-q626"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64097?format=json","purl":"pkg:npm/vega@4.5.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@4.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/282742?format=json","purl":"pkg:npm/vega@5.0.0-rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ect-9c97-tyak"},{"vulnerability":"VCID-6gd1-bqau-17gd"},{"vulnerability":"VCID-7c32-k9j8-v7dy"},{"vulnerability":"VCID-fkxw-kvr8-tyeg"},{"vulnerability":"VCID-mkyf-amf3-mbbe"},{"vulnerability":"VCID-ny13-p4z1-vygt"},{"vulnerability":"VCID-skn9-aqg8-xba8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@5.0.0-rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/64098?format=json","purl":"pkg:npm/vega@5.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@5.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/282756?format=json","purl":"pkg:npm/vega@5.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ect-9c97-tyak"},{"vulnerability":"VCID-6gd1-bqau-17gd"},{"vulnerability":"VCID-7c32-k9j8-v7dy"},{"vulnerability":"VCID-fkxw-kvr8-tyeg"},{"vulnerability":"VCID-mkyf-amf3-mbbe"},{"vulnerability":"VCID-ny13-p4z1-vygt"},{"vulnerability":"VCID-skn9-aqg8-xba8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@5.5.0"}],"aliases":["GHSA-cp47-r258-q626","GMS-2023-581"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rhm4-aqr8-m7fh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56990?format=json","vulnerability_id":"VCID-skn9-aqg8-xba8","summary":"Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]\nCalling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27793","reference_id":"","reference_type":"","scores":[{"value":"0.00468","scoring_system":"epss","scoring_elements":"0.64868","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00468","scoring_system":"epss","scoring_elements":"0.64858","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27793"},{"reference_url":"https://github.com/vega/vega","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/vega/vega"},{"reference_url":"https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T15:17:13Z/"}],"url":"https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966"},{"reference_url":"https://github.com/vega/vega/releases/tag/v5.32.0","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T15:17:13Z/"}],"url":"https://github.com/vega/vega/releases/tag/v5.32.0"},{"reference_url":"https://vega.github.io/vega/usage/interpreter","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T15:17:13Z/"}],"url":"https://vega.github.io/vega/usage/interpreter"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125182","reference_id":"1125182","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125182"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27793","reference_id":"CVE-2025-27793","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27793"},{"reference_url":"https://github.com/advisories/GHSA-963h-3v39-3pqf","reference_id":"GHSA-963h-3v39-3pqf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-963h-3v39-3pqf"},{"reference_url":"https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf","reference_id":"GHSA-963h-3v39-3pqf","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T15:17:13Z/"}],"url":"https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84616?format=json","purl":"pkg:npm/vega@5.32.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mkyf-amf3-mbbe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@5.32.0"}],"aliases":["CVE-2025-27793","GHSA-963h-3v39-3pqf"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-skn9-aqg8-xba8"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vega@2.5.1"}