`vega-functions` vulnerable to Cross-site Scripting via `setdata` function
- Severity:
- High
Description
For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS).
Recommendation
Update the vega-functions package to the latest compatible version. Followings are version details:
- Affected version(s): <= 6.1.0
- Patched version(s): 6.1.1
References
Related Issues
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086
- cookie accepts cookie name, path, and domain with out of bounds characters - CVE-2024-47764
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - CVE-2025-27793
- Tags:
- npm
- vega-functions
Anything's wrong? Let us know Last updated on January 06, 2026