@0xgg/echomd (>=1.0.0 <=1.0.4), @ajuhos/malloy-tests (>=0.0.332 <=0.0.334) +362 more potentially affected by CVE-2025-59840 via vega-expression (>=1.2.1 <=5.1.2)

vega-expression NPM version =1.2.1, =1.0.0, =0.0.332, =0.0.332, =1.1.5, =0.0.1, =0.20.0, =0.20.0, =2.4.22, =0.4.1-canary.195, =0.0.0, =0.1.0, =0.3.0, =0.8.8 and more Source cves: CVE-2025-59840 Source advisory: OSV:GHSA-7F2V-3QQ3-VVJF...

@omni-co/vega-lite (>=6.2.0-fork.2 <=6.2.0-fork.2-beta.2), arakawa (=0.1.0-alpha.1) +3 more potentially affected by CVE-2025-59840 via vega-expression (=6.0.0)

vega-expression NPM version =6.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on vega-expression and may be impacted: - @omni-co/vega-lite =6.2.0-fork.2, =6.0.0, =6.0.0, =6.0.0, =6.3.1 Source cves: CVE-2025-59840 Source advisory: OSV:GHSA-7F2V-3QQ3-V...

org.webjars.npm:vega-selections (>=5.1.0 <=5.6.0), org.webjars.npm:vega-typings (>=0.22.0 <=0.22.3) potentially affected by CVE-2025-59840 via org.webjars.npm:vega-expression (>=2.7.0 <=5.2.0)

org.webjars.npm:vega-expression MAVEN version =2.7.0, =5.1.0, =0.22.0, =0.22.3 Source cves: CVE-2025-59840 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-13961290...

@0xgg/echomd (>=1.0.2 <=1.0.4), @ajuhos/malloy-tests (>=0.0.332 <=0.0.334) +169 more potentially affected by CVE-2025-59840 via vega-expression (>=5.0.1 <=5.1.2)

vega-expression NPM version =5.0.1, =1.0.2, =0.0.332, =0.0.332, =1.1.5, =0.4.1-canary.195, =0.1.0, =3.0.0, =0.0.2, =0.0.1, =0.0.5, =0.0.1, =0.0.8 and more Source cves: CVE-2025-59840 Source advisory: SNYK:JS-VEGAEXPRESSION-13961124...

Cross-site Scripting (XSS)

Overview org.webjars.npm:vega-expression is a WebJar for vega-expression. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by...

Cross-site Scripting (XSS)

Overview vega-expression is a Vega expression parser and code generator. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the toString function in environments where the VEGADEBUG global variable is present. An attacker can execute arbitrary JavaScript code by...

CVE-2025-26619

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In vega 5.30.0 and lower and in vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be...

CVE-2023-26486

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argumen...