Skip to content

XSS in Vega

Low severity GitHub Reviewed Published Dec 30, 2020 in vega/vega • Updated Feb 1, 2023

Package

npm vega (npm)

Affected versions

< 5.17.3

Patched versions

5.17.3

Description

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package.
In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could
execute arbitrary javascript on a victim's machine.

This is fixed in version 5.17.3

References

@jheer jheer published to vega/vega Dec 30, 2020
Reviewed Dec 30, 2020
Published to the GitHub Advisory Database Dec 30, 2020
Published by the National Vulnerability Database Dec 30, 2020
Last updated Feb 1, 2023

Severity

Low

EPSS score

0.099%
(43rd percentile)

Weaknesses

CVE ID

CVE-2020-26296

GHSA ID

GHSA-r2qc-w64x-6j54

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.