CVE-2020-26296

2020-12-3023:15:15

Google

osv.dev

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.3%

JSON

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim’s machine. This is fixed in version 5.17.3

CPENameOperatorVersion
vegaeq3.3.0
vegaeq5.15.0
vegaeq3.0.0-beta.28
vegaeq1.4.0
vegaeq1.4.3
vegaeq3.0.0-beta.35
vegaeq5.7.3
vegaeq5.10.0
vegaeq1.3.1
vegaeq5.12.0