Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/vega@5.31.0
Typenpm
Namespace
Namevega
Version5.31.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version6.2.0
Latest_non_vulnerable_version6.2.0
Affected_by_vulnerabilities
0
url VCID-mkyf-amf3-mbbe
vulnerability_id VCID-mkyf-amf3-mbbe
summary 
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling `this.foo(this.bar)`, DOM XSS can be achieved.

In practice, an accessible gadget like this exists in the global VEGA_DEBUG code.

```js
({
toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on,
eventName: event.view.console.log,
_handlers: {
undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'
},
_handlerIndex: event.view.eval
})+1
```
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59840.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59840.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59840
reference_id
reference_type
scores
0
value 0.00034
scoring_system epss
scoring_elements 0.10294
published_at 2026-06-05T12:55:00Z
1
value 0.00034
scoring_system epss
scoring_elements 0.10187
published_at 2026-06-08T12:55:00Z
2
value 0.00034
scoring_system epss
scoring_elements 0.1027
published_at 2026-06-07T12:55:00Z
3
value 0.00034
scoring_system epss
scoring_elements 0.10313
published_at 2026-06-06T12:55:00Z
4
value 0.00042
scoring_system epss
scoring_elements 0.13239
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59840
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/components/renderer/renderer.tsx#L239
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/components/renderer/renderer.tsx#L239
4
reference_url https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/index.tsx#L14-L16
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/index.tsx#L14-L16
5
reference_url https://github.com/vega/vega
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/vega/vega
6
reference_url https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAB3GgBN6aAMwCADDPg0yWVRplIGmNhBoAvOGhDiJVmQrjQATjRyZ2k9ABU2ZMgA2cAAEAELGJpIyZmTiSAEQaADaoHEIVugm-kHSIMTxDBmYzoUyEsmgcKTimImooJgAnjgZIFABNFAA1rnIzl1prVA0zu1WAL4yDDgKSJitWYEhAPzBAGbxECGowcWFIOMAupOpSOnWSAoKAGI0AfPOueWoKSBVcDV1Dc2tCGwMWz+pFyYgYo1a8nECjYsgOUxmc1aAApgCYAMrFGjiMiod41SjEGhwWSUABqAFEAOIAQQA+gARcmhACqlIJfEoAGEkOJ8hAABI8hRBZyUHDONgmJotSgSKTBPGYAByZzguOqmAJRJJUAkYiClACfiktJgQpF+GADChcDWWLgClQAHJ4nBnJgkWxXLRxMEANTBAAGwQAGmi0cEJMFSM4zFHAwGKTSGUzWWSqXSKQAlNEASQA8kqAJROyam81u3M2gAe6o+msJxMoVXi4yLfoAjAdjscgA
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAB3GgBN6aAMwCADDPg0yWVRplIGmNhBoAvOGhDiJVmQrjQATjRyZ2k9ABU2ZMgA2cAAEAELGJpIyZmTiSAEQaADaoHEIVugm-kHSIMTxDBmYzoUyEsmgcKTimImooJgAnjgZIFABNFAA1rnIzl1prVA0zu1WAL4yDDgKSJitWYEhAPzBAGbxECGowcWFIOMAupOpSOnWSAoKAGI0AfPOueWoKSBVcDV1Dc2tCGwMWz+pFyYgYo1a8nECjYsgOUxmc1aAApgCYAMrFGjiMiod41SjEGhwWSUABqAFEAOIAQQA+gARcmhACqlIJfEoAGEkOJ8hAABI8hRBZyUHDONgmJotSgSKTBPGYAByZzguOqmAJRJJUAkYiClACfiktJgQpF+GADChcDWWLgClQAHJ4nBnJgkWxXLRxMEANTBAAGwQAGmi0cEJMFSM4zFHAwGKTSGUzWWSqXSKQAlNEASQA8kqAJROyam81u3M2gAe6o+msJxMoVXi4yLfoAjAdjscgA
7
reference_url https://vega.github.io/vega/usage/interpreter
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://vega.github.io/vega/usage/interpreter
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125183
reference_id 1125183
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125183
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2414907
reference_id 2414907
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2414907
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59840
reference_id CVE-2025-59840
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59840
11
reference_url https://github.com/advisories/GHSA-7f2v-3qq3-vvjf
reference_id GHSA-7f2v-3qq3-vvjf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7f2v-3qq3-vvjf
12
reference_url https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf
reference_id GHSA-7f2v-3qq3-vvjf
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-11-14T15:59:50Z/
url https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf
fixed_packages
0
url pkg:npm/vega@6.2.0
purl pkg:npm/vega@6.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega@6.2.0
aliases CVE-2025-59840, GHSA-7f2v-3qq3-vvjf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mkyf-amf3-mbbe
1
url VCID-skn9-aqg8-xba8
vulnerability_id VCID-skn9-aqg8-xba8
summary 
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]
Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27793
reference_id
reference_type
scores
0
value 0.00468
scoring_system epss
scoring_elements 0.64846
published_at 2026-06-08T12:55:00Z
1
value 0.00468
scoring_system epss
scoring_elements 0.64863
published_at 2026-06-09T12:55:00Z
2
value 0.00468
scoring_system epss
scoring_elements 0.64868
published_at 2026-06-06T12:55:00Z
3
value 0.00468
scoring_system epss
scoring_elements 0.64858
published_at 2026-06-05T12:55:00Z
4
value 0.00468
scoring_system epss
scoring_elements 0.64857
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27793
1
reference_url https://github.com/vega/vega
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vega/vega
2
reference_url https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T15:17:13Z/
url https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966
3
reference_url https://github.com/vega/vega/releases/tag/v5.32.0
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T15:17:13Z/
url https://github.com/vega/vega/releases/tag/v5.32.0
4
reference_url https://vega.github.io/vega/usage/interpreter
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T15:17:13Z/
url https://vega.github.io/vega/usage/interpreter
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125182
reference_id 1125182
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125182
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27793
reference_id CVE-2025-27793
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27793
7
reference_url https://github.com/advisories/GHSA-963h-3v39-3pqf
reference_id GHSA-963h-3v39-3pqf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-963h-3v39-3pqf
8
reference_url https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf
reference_id GHSA-963h-3v39-3pqf
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T15:17:13Z/
url https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf
fixed_packages
0
url pkg:npm/vega@5.32.0
purl pkg:npm/vega@5.32.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mkyf-amf3-mbbe
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega@5.32.0
aliases CVE-2025-27793, GHSA-963h-3v39-3pqf
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-skn9-aqg8-xba8
Fixing_vulnerabilities
0
url VCID-ny13-p4z1-vygt
vulnerability_id VCID-ny13-p4z1-vygt
summary 
Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter
In `vega` 5.30.0 and lower,  `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-26619
reference_id
reference_type
scores
0
value 0.00417
scoring_system epss
scoring_elements 0.62116
published_at 2026-06-08T12:55:00Z
1
value 0.00417
scoring_system epss
scoring_elements 0.62133
published_at 2026-06-09T12:55:00Z
2
value 0.00417
scoring_system epss
scoring_elements 0.62143
published_at 2026-06-06T12:55:00Z
3
value 0.00417
scoring_system epss
scoring_elements 0.62135
published_at 2026-06-05T12:55:00Z
4
value 0.00417
scoring_system epss
scoring_elements 0.62131
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-26619
1
reference_url https://github.com/vega/vega
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/vega/vega
2
reference_url https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-27T14:19:56Z/
url https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c
3
reference_url https://github.com/vega/vega/issues/3984
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-27T14:19:56Z/
url https://github.com/vega/vega/issues/3984
4
reference_url https://github.com/vega/vega-lite/issues/9469
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-27T14:19:56Z/
url https://github.com/vega/vega-lite/issues/9469
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125181
reference_id 1125181
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125181
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-26619
reference_id CVE-2025-26619
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-26619
7
reference_url https://github.com/advisories/GHSA-rcw3-wmx7-cphr
reference_id GHSA-rcw3-wmx7-cphr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rcw3-wmx7-cphr
8
reference_url https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr
reference_id GHSA-rcw3-wmx7-cphr
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-27T14:19:56Z/
url https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr
fixed_packages
0
url pkg:npm/vega@5.31.0
purl pkg:npm/vega@5.31.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mkyf-amf3-mbbe
1
vulnerability VCID-skn9-aqg8-xba8
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega@5.31.0
aliases CVE-2025-26619, GHSA-rcw3-wmx7-cphr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ny13-p4z1-vygt
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/vega@5.31.0