2427238 – (CVE-2025-66648) CVE-2025-66648 vega-functions: vega-functions: Cross-Site Scripting via untrusted user input

Bug 2427238 (CVE-2025-66648) - CVE-2025-66648 vega-functions: vega-functions: Cross-Site Scripting via untrusted user input

Summary: CVE-2025-66648 vega-functions: vega-functions: Cross-Site Scripting via untru...

Keywords:
Status:	NEW
Alias:	CVE-2025-66648
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2427338 2427339 2427340 2427341
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-05 22:01 UTC by OSIDB Bzimport
Modified:	2026-01-06 07:32 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-05 22:01:54 UTC

vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue.

Note You need to log in before you can comment on or make changes to this bug.