Description
billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.
Recommendation
Update the billboard.js package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.18.0
- Patched version(s): 3.18.0
References
Related Issues
- Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent` - CVE-2026-27901
- Svelte vulnerable to XSS when using objects during server-side rendering - CVE-2022-25875
- Svelte affected by XSS in SSR `<option>` element - CVE-2026-27119
- Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
- Tags:
- npm
- billboard.js
Anything's wrong? Let us know Last updated on January 28, 2026