XSS in Vega

CVE-2025-25304

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the `vlSelectionTuples` function can be used to call J…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.006 (44.3th percentile) — read the EPSS interpretation.

Affected products

  • Vega — versions < 5.26.0

Weakness classification (CWE)

References