`vega-functions` vulnerable to Cross-site Scripting via `setdata` function

Impact For sites that allow users to supply untrusted user input, malicious use of an internal function not part of the public API could be used to run unintentional javascript XSS. Patches Fixed in vega-functions 6.1.1 Workarounds There is no workaround besides upgrading. Using...

CVE-2025-66648

The CVE-2025-66648 issue affects vega-functions (Vega expression language implementation). Prior to version 6.1.1, an internal function (not part of the public API) could be abused when sites accept untrusted input, enabling unintended JavaScript execution (XSS). The vulnerability is fixed in veg...

GHSA-3C3P-XH4F-PFH7 json-schema-editor-visual vulnerable to prototype pollution

json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a crafted payload,...

CVE-2025-57320

json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a crafted payload,...