CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

23 matches found

Veracode•added 2026/03/13 5:15 a.m.•5 views

Cross-site Scripting (XSS)

Vega is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the attachment of vega library and a vega.View instance to the global window, and the allowance of user-defined Vega JSON definitions, which can lead to arbitrary JavaScript code execution. An attacker can exploit this...

8.1CVSS7.7AI score0.00034EPSS

Exploits0References3Affected Software3

Github Security Blog•added 2026/01/05 10:56 p.m.•12 views

Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope

Impact Applications meeting these two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. 1. Use vega in an application that attaches both vega library and a vega.View instance similar to the Vega Editor to the global window, or has an...

9.3CVSS7AI score0.00025EPSS

Exploits1References3Affected Software1

OSV•added 2026/01/05 10:15 p.m.•0 views

UBUNTU-CVE-2025-65110

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used...

9.3CVSS7.5AI score0.00025EPSS

Exploits1References3

SUSE CVE•added 2025/11/15 12:23 a.m.•1 views

SUSE CVE-2025-59840

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They...

8.1CVSS7.1AI score0.00034EPSS

Exploits0References3

RedhatCVE•added 2025/11/14 9:50 a.m.•4 views

CVE-2025-59840

A cross-site scripting XSS vulnerability has been identified in the Vega visualization library when applications accept user-supplied Vega specifications and expose Vega objects on the global browser window. An attacker can craft a malicious Vega specification that triggers hidden JavaScript...

8.1CVSS5.6AI score0.00034EPSS

Exploits0References4

Github Security Blog•added 2025/11/13 10:32 p.m.•9 views

Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable

Impact Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. 1. Use vega in an application that attaches vega library and a vega.View instance similar to the Vega Editor to the global window 2. Allow user-defined...

8.1CVSS6.9AI score0.00034EPSS

Exploits0References7Affected Software3

OSV•added 2025/11/13 10:32 p.m.•4 views

GHSA-7F2V-3QQ3-VVJF Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable

8.1CVSS6.8AI score0.00034EPSS

Exploits0References7

EUVD•added 2025/11/13 10:32 p.m.•3 views

EUVD-2025-175359

Vega Cross-Site Scripting XSS via expressions abusing toString calls in environments using the VEGADEBUG global variable...

8.1CVSS5.5AI score0.00034EPSS

Exploits0References6

Snyk•added 2025/11/13 8:43 p.m.•2 views

Cross-site Scripting (XSS)

Overview vega-expression is a Vega expression parser and code generator. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by...

8.1CVSS5.6AI score0.00034EPSS

Exploits0References2

Snyk•added 2025/11/13 8:43 p.m.•2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by supplying crafted Vega JSON definitions that abuse expression...

8.1CVSS5.5AI score0.00034EPSS

Exploits0References2

Snyk•added 2025/11/13 8:43 p.m.•1 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:vega-expression is a WebJar for vega-expression. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by...

8.1CVSS5.5AI score0.00034EPSS

Exploits0References2

Snyk•added 2025/11/13 8:43 p.m.•2 views

Cross-site Scripting (XSS)

8.1CVSS5.5AI score0.00034EPSS

Exploits0References2

Snyk•added 2025/11/13 8:43 p.m.•1 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:vega-interpreter is a WebJar for vega-interpreter. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by...

8.1CVSS5.5AI score0.00034EPSS

Exploits0References2

Snyk•added 2025/11/13 8:43 p.m.•2 views

Cross-site Scripting (XSS)

Overview vega-interpreter is a CSP-compliant interpreter for Vega expressions. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code b...

8.1CVSS5.5AI score0.00034EPSS

Exploits0References2

Snyk•added 2025/11/13 8:43 p.m.•3 views

Cross-site Scripting (XSS)

8.1CVSS5.4AI score0.00034EPSS

Exploits0References2

OSV•added 2025/11/13 8:15 p.m.•1 views

DEBIAN-CVE-2025-59840

8.1CVSS6AI score0.00034EPSS

Exploits0References1