8 matches found
@0xgg/echomd (>=1.0.0 <=1.0.4), @adobe/react-spectrum-charts (>=1.16.0 <=1.28.0) +353 more potentially affected by CVE-2025-59840 via vega (>=1.5.4 <=6.1.2)
vega NPM version =1.5.4, =1.0.0, =1.16.0, =0.2.0, =1.1.5, =0.4.3, =0.1.0, =0.0.1, =0.20.0, =0.20.0, =0.4.1-canary.195, =0.0.0, =0.2.0-beta.0, =0.2.0-beta.4 and more Source cves: CVE-2025-59840 Source advisory: OSV:GHSA-7F2V-3QQ3-VVJF...
UBUNTU-CVE-2025-59840
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They...
@candela/stats (>=0.20.0 <=0.21.0), @candela/vega (>=0.20.0 <=0.23.0) +132 more potentially affected by CVE-2025-27793 via vega (>=1.5.4 <=5.31.0)
vega NPM version =1.5.4, =0.20.0, =0.20.0, =0.3.0, =0.6.0, =1.0.5, =1.2.0, =0.0.2, =0.8.0, =3.1.3 - @jupyterlab/vega3-extension =0.14.3 and more Source cves: CVE-2025-27793 Source advisory: OSV:GHSA-963H-3V39-3PQF...
CVE-2025-26619 Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode `expressionInterpeter`
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In vega 5.30.0 and lower and in vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be...
CVE-2025-25304
CVE-2025-25304 affects Vega (visualization grammar) and its vega-selections component. Before version 5.26.0 of Vega and 5.4.2 of vega-selections, the vlSelectionTuples function could call attacker-controlled JavaScript functions, including Function(), enabling cross-site scripting via multiple c...
CVE-2025-25304
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the vlSelectionTuples function can be used to call JavaScript functions, leading to cross-site...
@candela/stats (>=0.20.0 <=0.21.0), @candela/vega (>=0.20.0 <=0.23.0) +128 more potentially affected by CVE-2023-26487 via vega (>=1.5.4 <=5.22.1)
vega NPM version =1.5.4, =0.20.0, =0.20.0, =0.3.0, =0.6.0, =1.0.5, =1.2.0, =0.0.2, =0.8.0, =3.1.3 - @jupyterlab/vega3-extension =0.14.3 and more Source cves: CVE-2023-26487 Source advisory: OSV:GHSA-W5M3-XH75-MP55...
@candela/stats (>=0.20.0 <=0.21.0), @candela/vega (>=0.20.0 <=0.23.0) +77 more potentially affected by CVE-2020-26296 via vega (>=1.5.4 <=5.17.2)
vega NPM version =1.5.4, =0.20.0, =0.20.0, =0.3.0, =0.6.0, =0.8.0, =1.0.0-alpha.13, =0.0.1, =1.0.0, =1.4.0, =1.0.3, =3.2.4 and more Source cves: CVE-2020-26296 Source advisory: OSV:GHSA-R2QC-W64X-6J54...