CVE-2025-26619

A Cross-site scripting vulnerability was found in the Vega library for Node.js. In affected versions, it is possible to call JavaScript functions from the Vega expression language that were not meant to be supported. Mitigation Run vega without vega.expressionInterpreter. Alternatively, using the...

CVE-2025-26619

creationtimestamp| type| source ---|---|--- 2025-03-27 14:27:25+00:00| published-proof-of-concept| https://t.me/DarkWebInformerCVEAlerts/9091...

@ekyc_qoobiss/qbs-cid-cmp (>=1.0.5 <=1.5.9), @ekyc_qoobiss/qbs-ect-cmp (>=1.2.0 <=4.8.0) +55 more potentially affected by CVE-2025-26619 via vega-functions (>=5.10.0 <=5.15.0)

vega-functions NPM version =5.10.0, =1.0.5, =1.2.0, =0.0.2, =0.1.2, =1.0.0, =1.0.7, =0.1.4, =0.6.2, =1.0.1, =2.8.0-canary.140, =2.27.0 - @tensorflow/tfjs-vis =1.5.1 and more Source cves: CVE-2025-26619 Source advisory: OSV:GHSA-RCW3-WMX7-CPHR...

@candela/stats (>=0.20.0 <=0.21.0), @candela/vega (>=0.20.0 <=0.23.0) +131 more potentially affected by CVE-2025-26619 via vega (>=1.5.4 <=5.30.0)

vega NPM version =1.5.4, =0.20.0, =0.20.0, =0.3.0, =0.6.0, =1.0.5, =1.2.0, =0.0.2, =0.8.0, =3.1.3 - @jupyterlab/vega3-extension =0.14.3 and more Source cves: CVE-2025-26619 Source advisory: OSV:GHSA-RCW3-WMX7-CPHR...

CVE-2025-26619 Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode `expressionInterpeter`

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In vega 5.30.0 and lower and in vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be...

CVE-2025-26619

Vega (Node) and Vega‑functions prior to versions 5.31.0/5.16.0 allow calling JavaScript functions from the Vega expression language that were not meant to be supported. This is the CVE-2025-26619 issue; the root cause is exposure of arbitrary JS execution through the expression interpreter. The v...