Lucene search
+L

6 matches found

osv
osv
added 2025/11/13 10:32 p.m.5 views

GHSA-7F2V-3QQ3-VVJF Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable

Impact Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. 1. Use vega in an application that attaches vega library and a vega.View instance similar to the Vega Editor to the global window 2. Allow user-defined...

8.1CVSS6.8AI score0.00383EPSS
Exploits0References7
snyk
snyk
added 2025/11/13 8:43 p.m.3 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:vega-interpreter is a WebJar for vega-interpreter. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by...

8.1CVSS5.5AI score0.00383EPSS
Exploits0References2
snyk
snyk
added 2025/11/13 8:43 p.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by supplying crafted Vega JSON definitions that abuse expression...

8.1CVSS5.5AI score0.00383EPSS
Exploits0References2
snyk
snyk
added 2025/11/13 8:43 p.m.3 views

Cross-site Scripting (XSS)

Overview vega-interpreter is a CSP-compliant interpreter for Vega expressions. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code b...

8.1CVSS5.5AI score0.00383EPSS
Exploits0References2
snyk
snyk
added 2025/11/13 8:43 p.m.3 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:vega-expression is a WebJar for vega-expression. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by...

8.1CVSS5.5AI score0.00383EPSS
Exploits0References2
cve
cve
added 2025/11/13 7:54 p.m.36 views

CVE-2025-59840

CVE-2025-59840 (Vega XSS) : The vulnerability affects Vega prior to 6.2.0 where an application that attaches the Vega library and a global vega.View instance to window and allows user-defined Vega JSON can be exploited to execute arbitrary JavaScript, even with safe mode expressionInterpreter. Th...

8.1CVSS6.6AI score0.00383EPSS
Exploits0References1
Rows per page
Query Builder