89 matches found
CVE-2026-45249
A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...
Cross-site Scripting (XSS)
Overview echarts is an Apache ECharts is a powerful, interactive charting and data visualization library for browser Affected versions of this package are vulnerable to Cross-site Scripting XSS in the tooltip rendering when both Lines series and tooltip are used without a user-specified...
Cross-site Scripting (XSS)
Overview org.webjars.npm:echarts is an Apache ECharts is a powerful, interactive charting and data visualization library for browser Affected versions of this package are vulnerable to Cross-site Scripting XSS in the tooltip rendering when both Lines series and tooltip are used without a...
CVE-2026-45249
A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...
CVE-2026-45249
Apache ECharts contains an XSS risk in the Lines series tooltip rendering for versions before 6.1.0. If Lines and tooltip are used without a user-specified tooltip.formatter and series.data[i].name is set, a raw HTML string can be inserted into the tooltip via innerHTML, bypassing normal escaping...
CVE-2026-45249 Apache ECharts: XSS in Lines series tooltip rendering
A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...
EUVD-2026-31650
A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...
CVE-2026-45249
A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...
CVE-2026-45249 Apache ECharts: XSS in Lines series tooltip rendering
A cross-site scripting XSS vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and...
Apache ECharts 安全漏洞
Apache ECharts is a data visualization charting library from the Apache USA Foundation. A security vulnerability exists in Apache ECharts versions prior to 6.1.0, which stems from a failure to escape HTML strings in the rendering logic of the Lines family of tooltips, potentially leading to a...
PT-2026-42882
Name of the Vulnerable Software and Affected Versions Apache ECharts versions prior to 6.1.0 Description A cross-site scripting XSS issue exists in the Lines series tooltip rendering logic. When the Lines series and tooltip are used without a user-specified tooltip.formatter, and series.datai.nam...
Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft
In this article 1. Attack chain overview 1. Technical analysis 2. How GitHub took action to prevent further harm 2. Mitigation and protection guidance 1. Microsoft Defender XDR Detections 2. Microsoft Defender XDR Threat analytics 3. Advanced hunting 4. Indicators of Compromise IOC 3. References ...
Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account
Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave. "The attack affects packages tied to the npm maintainer account atool, includin...
MAL-2026-4146 Malicious code in mcp-echarts (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
Malicious code in mcp-echarts (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
Malicious code in echarts-for-react (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
@abtnode/ux (>=1.16.40 <=1.17.12-beta-20260422-093007-b389a838), @ada-lc/echarts-materials (>=0.0.1 <=0.0.2) +492 more potentially affected by unknown CVE via echarts-for-react (>=3.0.0-beta.2 <=3.0.6)
echarts-for-react NPM version =3.0.0-beta.2, =1.16.40, =0.0.1, =0.1.0, =0.0.2-7.1, =0.1.1, =1.0.0, =1.0.0, =1.0.0, =1.3.5-beta.937, =1.0.8-alpha, =3.34.0, =0.1.10, =1.0.5, =0.2.0, =0.4.5-next.0 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-4132...
MAL-2026-4132 Malicious code in echarts-for-react (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...