Vulnerabilities/

Vega allows Cross-site Scripting via the vlSelectionTuples function

Severity:: Medium

Description

The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS.

Recommendation

Update the vega package to the latest compatible version. Followings are version details:

Affected version(s): < 5.26.0
Patched version(s): 5.26.0

References

Related Issues

Vega allows Cross-site Scripting via the vlSelectionTuples function (GHSA-mp7w-mhcv-673j) - CVE-2025-25304
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function - CVE-2025-66648
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) 2 - CVE-2025-59840
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) - CVE-2025-59840

Tags:: npm; vega

Anything's wrong? Let us know Last updated on February 14, 2025