CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27793 – Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]
https://notcve.org/view.php?id=CVE-2025-27793
27 Mar 2025 — Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter. • https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26619 – Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode `expressionInterpeter`
https://notcve.org/view.php?id=CVE-2025-26619
27 Mar 2025 — Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. The issue is patched in `vega` `5.31.0` and `vega-functions` `5.16.0`. Some workarounds are available. Run `vega` without `vega.expressionInterpreter`. • https://github.com/vega/vega-lite/issues/9469 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25304 – Vega allows Cross-site Scripting via the vlSelectionTuples function
https://notcve.org/view.php?id=CVE-2025-25304
14 Feb 2025 — Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the `vlSelectionTuples` function can be used to call JavaScript functions, leading to cross-site scripting.`vlSelectionTuples` calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. This can be used to call `Function()` with arbitrary JavaScript and the resulti... • https://github.com/vega/vega/blob/b45cf431cd6c0d0c0e1567f087f9b3b55bc236fa/packages/vega-selections/src/selectionTuples.js#L14 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-35163 – Vega's validators able to submit duplicate transactions
https://notcve.org/view.php?id=CVE-2023-35163
23 Jun 2023 — Vega is a decentralized trading platform that allows pseudo-anonymous trading of derivatives on a blockchain. Prior to version 0.71.6, a vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega’s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party’s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party’s general account. This is without depositing any mo... • https://github.com/vegaprotocol/vega/commit/56b09bf57af8cd9eca5996252d86f469a3e34c68 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 2CVE-2023-26486 – Vega `scale` expression function cross site scripting
https://notcve.org/view.php?id=CVE-2023-26486
03 Mar 2023 — Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale. This can be exploited to escape the Vega exp... • https://github.com/vega/vega/releases/tag/v5.23.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-26487 – Vega has cross-site scripting vulnerability in `lassoAppend` function
https://notcve.org/view.php?id=CVE-2023-26487
03 Mar 2023 — Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any functio... • https://github.com/vega/vega/commit/01adb034f24727d3bb321bbbb6696a7f4cd91689 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26296 – XSS in Vega
https://notcve.org/view.php?id=CVE-2020-26296
30 Dec 2020 — Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. This is fixed in version 5.17.3 Vega es una gramática de visualización, un formato declarativo para crear, guardar y compartir diseños de visualización interactivos. • https://github.com/vega/vega/issues/3018 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10806
https://notcve.org/view.php?id=CVE-2019-10806
09 Mar 2020 — vega-util prior to 1.13.1 allows manipulation of object prototype. The 'vega.mergeConfig' method within vega-util could be tricked into adding or modifying properties of the Object.prototype. vega-util versiones anteriores a 1.13.1, permite la manipulación del prototipo de objeto. El método "vega.mergeConfig" dentro de vega-util podría ser engañado para agregar o modificar propiedades del Object.prototype. • https://github.com/vega/vega/commit/8f33a0b5170d7de4f12fc248ec0901234342367b • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •