CVE-2026-45249

Name of the Vulnerable Software and Affected Versions Apache ECharts versions prior to 6.1.0

Description A cross-site scripting (XSS) issue exists in the Lines series tooltip rendering logic. When the Lines series and tooltip are used without a user-specified tooltip.formatter, and series.data[i].name is provided, raw HTML strings in series.data[i].name can be rendered through an innerHTML sink into the tooltip content. While tooltips typically allow raw HTML via custom formatters, the built-in formatters usually perform HTML escaping automatically; however, this specific case fails to do so, potentially leading to script execution when tooltips are displayed.

Recommendations Upgrade to version 6.1.0.