Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function ga
- Severity:
- High
Description
Applications meeting these two conditions are at risk of arbitrary JavaScript code execution, even if “safe mode” expressionInterpreter is used.
- Use
vegain an application that attaches bothvegalibrary and avega.Viewinstance similar to the Vega Editor to the globalwindow, or has any other satisfactory function gadgets in the global scope 2.
Recommendation
Update the vega-selections package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0, < 6.1.2 < 5.6.3** Patched version(s): **6.1.2 5.6.3**
References
Related Issues
- Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036
- @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
- Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
- Tags:
- npm
- vega-selections
Anything's wrong? Let us know Last updated on January 06, 2026