Cross-site Scripting (XSS)

Vega is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the attachment of vega library and a vega.View instance to the global window, and the allowance of user-defined Vega JSON definitions, which can lead to arbitrary JavaScript code execution. An attacker can exploit this...

Linux Distros Unpatched Vulnerability : CVE-2025-59840

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0,...

CVE-2025-65110

A flaw was found in Vega, a library used for creating interactive data visualizations. This vulnerability affects applications that expose the Vega library globally and process user-provided visualization definitions. A remote attacker could exploit this by convincing a user to open a specially...

CVE-2025-65110

CVE-2025-65110 affects Vega, a visualization grammar. Prior to versions 6.1.2 and 5.6.3, if an application both attaches the Vega library and a vega.View instance to the global window (or has other safe-function gadget in the global scope) and allows user-defined Vega JSON definitions, it is at r...

CVE-2025-14896

due to insufficient sanitazation in Vega’s convert function when safeMode is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitiv...

CVE-2025-59840

A cross-site scripting XSS vulnerability has been identified in the Vega visualization library when applications accept user-supplied Vega specifications and expose Vega objects on the global browser window. An attacker can craft a malicious Vega specification that triggers hidden JavaScript...

Cross-site Scripting (XSS)

Overview vega is a library that implements Vega visualization grammar. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by...

Vega 跨站脚本漏洞

Vega is a Javscript-based software from the Vega team that can be used to create interactive visual displays. The software can describe data visualizations using JSON format and generate interactive views using HTML5 Canvas or SVG. A cross-site scripting vulnerability exists in Vega versions prio...

Malicious code in vega-library-schema-parcel (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55dcc95f4dea0db952210a246c97eca63e5bda6d4afe8728102b9082fb2aeeef This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-149093 Malicious code in vega-library-schema-parcel (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55dcc95f4dea0db952210a246c97eca63e5bda6d4afe8728102b9082fb2aeeef This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-120836

Malicious code in vega-library-schema-parcel npm...

DEBIAN-CVE-2025-26619

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In vega 5.30.0 and lower and in vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be...

UBUNTU-CVE-2025-25304

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the vlSelectionTuples function can be used to call JavaScript functions, leading to cross-site...