High severity7.5OSV Advisory· Published Dec 18, 2025· Updated Apr 15, 2026

CVE-2025-14896

Description

due to insufficient sanitazation in Vega’s convert() function when safeMode is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitive information.

Affected products

Yuzutech/KrokiOSV
Range: v0.0.11, v0.0.12, v0.0.3, …

Patches

f31093cd8a0a

https://github.com/yuzutech/krokivia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/yuzutech/kroki/commit/f31093cd8a0a1d6999c43d560f62d1e82d59c77envd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000