CVE-2020-26296

Name of the Vulnerable Software and Affected Versions Vega versions prior to 5.17.3

Description Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega is an npm package. In Vega, there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine.

Recommendations For versions prior to 5.17.3, update to version 5.17.3 to resolve the issue. As a temporary workaround, consider restricting the use of Vega expressions to minimize the risk of exploitation.