CVE-2025-26619

Public Exploit
Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode `expressionInterpeter`

Description

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. The issue is patched in `vega` `5.31.0` and `vega-functions` `5.16.0`. Some workarounds are available. Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.

Category

5.3
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.04%
Vendor Advisory github.com
Affected: vega vega
Published at:
Updated at:

References

Link Tags
https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr vendor advisory exploit
https://github.com/vega/vega-lite/issues/9469 issue tracking
https://github.com/vega/vega/issues/3984 issue tracking exploit
https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c patch

Frequently Asked Questions

What is the severity of CVE-2025-26619?
CVE-2025-26619 has been scored as a medium severity vulnerability.
How to fix CVE-2025-26619?
To fix CVE-2025-26619, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-26619 being actively exploited in the wild?
It is possible that CVE-2025-26619 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-26619?
CVE-2025-26619 affects vega vega.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.