Main Vulnerability Database Vulnerabilities #VU127087

#VU127087 Cross-site scripting in vega - CVE-2025-25304

Published: February 14, 2025 / Updated: April 23, 2026

Vulnerability identifier: #VU127087

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2025-25304

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
vega

Software vendor:
Vega

Description

The vulnerability allows a remote attacker to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to cross-site scripting in the vlSelectionTuples function when processing attacker-controlled Vega input. A remote attacker can supply crafted input that causes JavaScript functions to be called to execute arbitrary JavaScript in the victim's browser.

Remediation

Install security update from vendor's website.

External links

https://github.com/vega/vega/security/advisories/GHSA-mp7w-mhcv-673j
https://github.com/advisories/GHSA-mp7w-mhcv-673j

#VU127087 Cross-site scripting in vega - CVE-2025-25304

Description

Remediation

External links

Please verify you're human