CVE-2020-26296

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-26296

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26296.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-26296

Aliases

GHSA-r2qc-w64x-6j54

Published

2020-12-30T23:15:15.233Z

Modified

2026-03-10T23:30:42.760352179Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. This is fixed in version 5.17.3

References

Affected packages

Git / github.com/vega/vega

Affected ranges

Type

GIT

Repo

https://github.com/vega/vega

Events

Introduced

Fixed

7b160b907f6632c75fb3750eb34828ea5b32da3e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.17.3"
        }
    ]
}

Affected versions

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.5.0

v1.5.1

v1.5.4

v3.*

v3.0.0

v3.0.0-beta.1

v3.0.0-beta.10

v3.0.0-beta.11

v3.0.0-beta.12

v3.0.0-beta.13

v3.0.0-beta.14

v3.0.0-beta.15

v3.0.0-beta.16

v3.0.0-beta.17

v3.0.0-beta.18

v3.0.0-beta.19

v3.0.0-beta.2

v3.0.0-beta.20

v3.0.0-beta.21

v3.0.0-beta.22

v3.0.0-beta.23

v3.0.0-beta.24

v3.0.0-beta.25

v3.0.0-beta.26

v3.0.0-beta.27

v3.0.0-beta.28

v3.0.0-beta.29

v3.0.0-beta.3

v3.0.0-beta.30

v3.0.0-beta.31

v3.0.0-beta.32

v3.0.0-beta.33

v3.0.0-beta.34

v3.0.0-beta.35

v3.0.0-beta.36

v3.0.0-beta.37

v3.0.0-beta.38

v3.0.0-beta.39

v3.0.0-beta.4

v3.0.0-beta.6

v3.0.0-beta.7

v3.0.0-beta.8

v3.0.0-rc1

v3.0.0-rc2

v3.0.0-rc3

v3.0.0-rc4

v3.0.0-rc5

v3.0.0-rc6

v3.0.0-rc7

v3.0.1

v3.0.10

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v4.*

v4.0.0

v4.0.0-rc.1

v4.0.0-rc.3

v4.1.0

v4.2.0

v4.3.0

v4.4.0

v4.5.1

v5.*

v5.0.0

v5.0.0-rc1

v5.0.0-rc2

v5.0.0-rc3

v5.0.0-rc4

v5.0.0-rc5

v5.1.0

v5.10.0

v5.10.1

v5.11.0

v5.11.1

v5.12.0

v5.12.1

v5.12.2

v5.12.3

v5.13.0

v5.14.0

v5.15.0

v5.16.0

v5.16.1

v5.17.0

v5.17.1

v5.17.2

v5.2.0

v5.3.0

v5.3.1

v5.3.2

v5.3.3

v5.3.4

v5.3.5

v5.4.0

v5.4.1

v5.5.0

v5.5.1

v5.5.2

v5.5.3

v5.6.0

v5.7.0

v5.7.1

v5.7.2

v5.7.3

v5.8.0

v5.8.1

v5.9.0

v5.9.1

v5.9.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26296.json"