npm package
vega-functions
pkg:npm/vega-functions
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-66648 | — | < 6.1.1 | 6.1.1 | Jan 5, 2026 | vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript ( | ||
| CVE-2025-27793 | Med | — | < 5.17.0 | 5.17.0 | Mar 27, 2025 | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected | |
| CVE-2025-26619 | — | < 5.16.0 | 5.16.0 | Mar 27, 2025 | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that wer | ||
| CVE-2023-26486 | — | < 5.13.1 | 5.13.1 | Mar 3, 2023 | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a us | ||
| CVE-2023-26487 | — | < 5.13.1 | 5.13.1 | Mar 3, 2023 | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as |
- CVE-2025-66648Jan 5, 2026affected < 6.1.1fixed 6.1.1
vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (
- affected < 5.17.0fixed 5.17.0
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected
- CVE-2025-26619Mar 27, 2025affected < 5.16.0fixed 5.16.0
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that wer
- CVE-2023-26486Mar 3, 2023affected < 5.13.1fixed 5.13.1
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a us
- CVE-2023-26487Mar 3, 2023affected < 5.13.1fixed 5.13.1
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as