{"id":"GHSA-r2qc-w64x-6j54","summary":"XSS in Vega","details":"Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package.\nIn Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could\nexecute arbitrary javascript on a victim's machine.\n\nThis is fixed in version 5.17.3","aliases":["CVE-2020-26296"],"modified":"2026-02-04T03:45:36.147604Z","published":"2020-12-30T23:09:21Z","related":["CVE-2020-26296"],"database_specific":{"github_reviewed_at":"2020-12-30T23:08:59Z","cwe_ids":["CWE-79"],"github_reviewed":true,"nvd_published_at":"2020-12-30T23:15:00Z","severity":"LOW"},"references":[{"type":"WEB","url":"https://github.com/vega/vega/security/advisories/GHSA-r2qc-w64x-6j54"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26296"},{"type":"WEB","url":"https://github.com/vega/vega/issues/3018"},{"type":"WEB","url":"https://github.com/vega/vega/pull/3019"},{"type":"WEB","url":"https://github.com/vega/vega/releases/tag/v5.17.3"},{"type":"WEB","url":"https://www.npmjs.com/package/vega"}],"affected":[{"package":{"name":"vega","ecosystem":"npm","purl":"pkg:npm/vega"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"5.17.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-r2qc-w64x-6j54/GHSA-r2qc-w64x-6j54.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"}]}