pkg:npm/vega
7 total CVEsHIGH2MEDIUM3
✅ Check your installed version
All known vulnerabilities
from 0, < 5.17.3
HIGH8.1CVE-2025-59840Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable from 0, < 6.2.0
MEDIUM6.1CVE-2025-26619Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter from 0, < 5.31.0
MEDIUM6.1Vega Expression Language `scale` expression function Cross Site Scripting
from 0, < 5.23.0
MEDIUM6.1Vega has Cross-site Scripting vulnerability in `lassoAppend` function
from 0, < 5.23.0
—Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]
from 0, < 5.32.0
—Vega allows Cross-site Scripting via the vlSelectionTuples function
from 0, < 5.26.0