`vega-functions` vulnerable to Cross-site Scripting via `setdata` function
- Severity:
- High
Description
For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS).
Recommendation
Update the vega-functions package to the latest compatible version. Followings are version details:
- Affected version(s): <= 6.1.0
- Patched version(s): 6.1.1
References
Related Issues
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - CVE-2025-27793
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- Vega allows Cross-site Scripting via the vlSelectionTuples function - CVE-2025-25304
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
- Tags:
- npm
- vega-functions
Anything's wrong? Let us know Last updated on January 06, 2026