{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66648", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-05T20:23:19.596Z", "datePublished": "2026-01-05T21:33:14.011Z", "dateUpdated": "2026-01-06T15:40:18.443Z"}, "containers": {"cna": {"title": "`vega-functions` vulnerable to Cross-site Scripting via `setdata` function", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm"}], "affected": [{"vendor": "vega", "product": "vega", "versions": [{"version": "< 6.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-05T21:33:14.011Z"}, "descriptions": [{"lang": "en", "value": "vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue."}], "source": {"advisory": "GHSA-m9rg-mr6g-75gm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T15:40:01.643885Z", "id": "CVE-2025-66648", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T15:40:18.443Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-66648", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T15:40:01.643885Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T15:40:11.468Z"}}], "cna": {"title": "`vega-functions` vulnerable to Cross-site Scripting via `setdata` function", "source": {"advisory": "GHSA-m9rg-mr6g-75gm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "vega", "product": "vega", "versions": [{"status": "affected", "version": "< 6.1.1"}]}], "references": [{"url": "https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm", "name": "https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-05T21:33:14.011Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66648", "state": "PUBLISHED", "dateUpdated": "2026-01-06T15:40:18.443Z", "dateReserved": "2025-12-05T20:23:19.596Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-05T21:33:14.011Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue."}], "id": "CVE-2025-66648", "lastModified": "2026-01-05T22:15:51.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-05T22:15:51.400", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vega-functions: vega-functions: Cross-Site Scripting via untrusted user input", "id": "2427238", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427238"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in vega-functions. For sites that allow users to supply untrusted input, a remote attacker could exploit a vulnerability by maliciously using an internal function. This could lead to the execution of unintentional JavaScript, resulting in Cross-Site Scripting (XSS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-66648", "public_date": "2026-01-05T21:33:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-66648\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-66648\nhttps://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm"], "statement": "This vulnerability is rated Important for Red Hat products such as jupyterlab and snakemake in Fedora and EPEL, and cloud.redhat.com services utilizing vega-functions. The flaw allows for Cross-Site Scripting (XSS) when applications permit untrusted user input to be processed by vega-functions, potentially leading to the execution of unintentional JavaScript.", "threat_severity": "Important"}

{"created": "2026-01-06T14:16:38.738802+00:00", "updated": "2026-01-06T14:16:38.738840+00:00", "vendors": ["vega_project", "vega_project$PRODUCT$vega-functions"]}