billboard.js is vulnerable to XSS during chart option binding

Description

billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.

Recommendation

Update the billboard.js package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.18.0
• Patched version(s): 3.18.0

References

• GHSA-rpc5-pm7q-hjmp
• cve.naver.com
• CVE-2026-1513
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent` - CVE-2026-27901
• Svelte vulnerable to XSS when using objects during server-side rendering - CVE-2022-25875
• defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag - CVE-2026-30830
• Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

billboard.js