Linux Distros Unpatched Vulnerability : CVE-2023-26487

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.lassoAppend' function accepts 3...

Linux Distros Unpatched Vulnerability : CVE-2025-65110

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3,...

Linux Distros Unpatched Vulnerability : CVE-2023-26486

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega scale expression function ha...

UBUNTU-CVE-2025-65110

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used...

SUSE CVE-2025-59840

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They...

@0xgg/echomd (>=1.0.0 <=1.0.4), @adobe/react-spectrum-charts (>=1.16.0 <=1.28.0) +353 more potentially affected by CVE-2025-59840 via vega (>=1.5.4 <=6.1.2)

vega NPM version =1.5.4, =1.0.0, =1.16.0, =0.2.0, =1.1.5, =0.4.3, =0.1.0, =0.0.1, =0.20.0, =0.20.0, =0.4.1-canary.195, =0.0.0, =0.2.0-beta.0, =0.2.0-beta.4 and more Source cves: CVE-2025-59840 Source advisory: OSV:GHSA-7F2V-3QQ3-VVJF...

com.databricks:automatedml_2.11 (=0.7.2), com.github.aishfenton:vegas-flink_2.11 (=0.3.4) +11 more potentially affected by CVE-2025-59840 via org.webjars.bower:vega (>=1.5.4 <=3.0.0-rc4)

org.webjars.bower:vega MAVEN version =1.5.4, =0.3.6, =0.3.6, =0.3.6, =1.1.0, =2.1.0, =1.0.10, =2.0.1 Source cves: CVE-2025-59840 Source advisory: SNYK:JAVA-ORGWEBJARSBOWER-13961288...

arakawa (=0.1.0-alpha.1), vega-cli (>=6.0.0 <=6.1.2) potentially affected by CVE-2025-59840 via vega (>=6.0.0 <=6.1.2)

vega NPM version =6.0.0, =6.0.0, =6.1.2 Source cves: CVE-2025-59840 Source advisory: SNYK:JS-VEGA-13961123...

DEBIAN-CVE-2025-59840

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They...

PT-2025-46878

Name of the Vulnerable Software and Affected Versions Vega versions prior to 6.2.0 vega-expression versions prior to 6.1.0 vega-interpreter versions prior to 2.2.1 vega-expression versions prior to 5.2.1 vega-interpreter versions prior to 1.2.1 Description Vega is a visualization grammar used for...

EUVD-2025-8424

Malicious code in bioql PyPI...

Security Bulletin: Vulnerability in Vega affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.

Summary Potential vulnerability in Vega has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information. Vulnerability...

Cross-site Scripting (XSS)

Vega is vulnerable to Cross-site Scripting XSS. The vulnerability is due to unsafe evaluation of JavaScript code due to the lack of an expression interpreter when processing Vega/Vega-lite JSON definitions...

@candela/stats (>=0.20.0 <=0.21.0), @candela/vega (>=0.20.0 <=0.23.0) +132 more potentially affected by CVE-2025-27793 via vega (>=1.5.4 <=5.31.0)

vega NPM version =1.5.4, =0.20.0, =0.20.0, =0.3.0, =0.6.0, =1.0.5, =1.2.0, =0.0.2, =0.8.0, =3.1.3 - @jupyterlab/vega3-extension =0.14.3 and more Source cves: CVE-2025-27793 Source advisory: OSV:GHSA-963H-3V39-3PQF...

GHSA-963H-3V39-3PQF Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

Impact Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter. Workarounds - Use vega with expression interpreter - Upgrade to a newer Vega version 5.32.0 POC Summary Calling replace with a...

CVE-2025-27793

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code...

CVE-2025-26619

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In vega 5.30.0 and lower and in vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be...

@candela/stats (>=0.20.0 <=0.21.0), @candela/vega (>=0.20.0 <=0.23.0) +131 more potentially affected by CVE-2025-26619 via vega (>=1.5.4 <=5.30.0)

vega NPM version =1.5.4, =0.20.0, =0.20.0, =0.3.0, =0.6.0, =1.0.5, =1.2.0, =0.0.2, =0.8.0, =3.1.3 - @jupyterlab/vega3-extension =0.14.3 and more Source cves: CVE-2025-26619 Source advisory: OSV:GHSA-RCW3-WMX7-CPHR...

CVE-2025-27793 Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code...

CVE-2025-27793 Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code...