5 matches found
CVE-2026-40320
Giskard is an open-source testing framework for AI models. In versions prior to 1.0.2b1, the ConformityCheck class rendered the rule parameter through Jinja2's default Template constructor, silently interpreting template expressions at runtime. If check definitions are loaded from an untrusted...
EUVD-2025-175359
Vega Cross-Site Scripting XSS via expressions abusing toString calls in environments using the VEGADEBUG global variable...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by supplying crafted Vega JSON definitions that abuse expression...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by supplying crafted Vega JSON definitions that abuse expression...
CVE-2025-59840 Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They...