Home > Vulnerability Database > CVE-2025-14896

Mend.io Vulnerability Database

CVE-2025-14896

Good to know:

Date: December 18, 2025

due to insufficient sanitazation in Vega’s "convert()" function when "safeMode" is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitive information.

Severity Score

7.5

Related Resources (3)

Url: https://github.com/yuzutech/kroki/commit/f31093cd8a0a1d6999c43d560f62d1e82d59c77e

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-14896

Url: https://www.mend.io/vulnerability-database/CVE-2025-14896

Severity Score

7.5

Weakness Type (CWE)

Files or Directories Accessible to External Parties

CWE-552

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-14896

Good to know:

Date: December 18, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?