CVE-2025-26619: 
JavaScript vulnerability analysis and mitigation

Vega, a visualization grammar for creating, saving, and sharing interactive visualization designs, was found to contain a Cross-Site Scripting (XSS) vulnerability (CVE-2025-26619). The vulnerability affects Vega versions 5.30.0 and lower, and Vega-functions versions 5.15.0 and lower, where it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported (GitHub Advisory).

The vulnerability exists in the filter property of a select parameter which exposes the browser's Window object via event.view, allowing arbitrary code execution through scale(event.view.setTimeout, '[code payload here]'). The issue stems from the scale$2 function only checking if a scale is registered when specified as a string; if a function is passed to scale(), it is invoked unconditionally (Vega Issue).

This vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the victim's browser, potentially leading to session hijacking, data theft, or other malicious actions when users interact with affected Vega visualizations (GitHub Advisory).

The vulnerability has been patched in Vega version 5.31.0 and Vega-functions version 5.16.0. For users unable to upgrade immediately, two workarounds are available: 1) Run Vega without vega.expressionInterpreter (though this mode is slower than the default), or 2) Use the interpreter in CSP safe mode (Content Security Policy), which prevents arbitrary Javascript execution (GitHub Advisory).