CVE-2025-59840

CVE-2025-59840 (Vega XSS) : The vulnerability affects Vega prior to 6.2.0 where an application that attaches the Vega library and a global vega.View instance to window and allows user-defined Vega JSON can be exploited to execute arbitrary JavaScript, even with safe mode expressionInterpreter. Th...

Cross-Site Scripting (XSS)

Vega, vega-functions is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient sandboxing, which allows unsupported JavaScript functions to be called from the Vega expression language...

Cross-site Scripting (XSS)

Vega and vega-selections are vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper function invocation due to the vlSelectionTuples function allowing attacker-controlled input to execute arbitrary JavaScript via Function, leading to potential code execution...

PT-2023-33009 · Vega · Vega

Name of the Vulnerable Software and Affected Versions: Vega versions prior to 4.5.1 Vega versions prior to 5.4.1 Description: The issue allows for arbitrary code execution when clicking href links. Recommendations: For versions prior to 4.5.1, update to version 4.5.1 to resolve the issue. For...

PT-2023-20677 · Vega · Vega

Name of the Vulnerable Software and Affected Versions: Vega versions prior to 5.13.1 Description: The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute...