Home > Vulnerability Database > CVE-2025-27793

Mend.io Vulnerability Database

CVE-2025-27793

Good to know:

Date: March 27, 2025

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the "vega-interpreter". Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use "vega" with expression interpreter.

Severity Score

6.5

Related Resources (7)

Url: https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966

Url: https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf

Url: https://github.com/vega/vega/releases/tag/v5.32.0

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-27793

Url: https://github.com/vega/vega

Url: https://vega.github.io/vega/usage/interpreter

Url: https://www.mend.io/vulnerability-database/CVE-2025-27793

Severity Score

6.5

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Alternate XSS Syntax

CWE-87

Top Fix

Upgrade Version

Upgrade to version vega - 5.32.0;vega - 5.32.0;vega-functions - 5.17.0;vega-functions - 5.17.0;vega - 5.32.0;vega - 5.32.0;https://github.com/vega/vega.git - v5.32.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-27793

Good to know:

Date: March 27, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?