CVE-2025-59840

A cross-site scripting XSS vulnerability has been identified in the Vega visualization library when applications accept user-supplied Vega specifications and expose Vega objects on the global browser window. An attacker can craft a malicious Vega specification that triggers hidden JavaScript...