Arbitrary JavaScript Code Execution Vulnerability in Vega Visualization Library
CVE-2025-65110

8.1HIGH

Key Information:

Vendor: Vega
Status: Vega
Vendor: CVE Published:; 5 January 2026

What is CVE-2025-65110?

The Vega visualization library has a vulnerability that allows for arbitrary JavaScript code execution under specific conditions. Applications that utilize the Vega library and include vega.View instances in the global scope are particularly at risk. If they also allow user-defined JSON specifications, an attacker can exploit potential Cross-Site Scripting (XSS) attacks. This vulnerability hinges on user interaction; a malicious Vega specification can be crafted to execute unwanted JavaScript within the application’s domain. Consequently, it poses a serious risk of sensitive data theft and unauthorized actions. The issue can be mitigated by upgrading to patched versions and avoiding exposing Vega instances globally.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vega < 5.6.3 < 5.6.3

vega >= 6.0.0, < 6.1.2 < 6.0.0, 6.1.2

References

https://github.com/vega/vega/security/advisories/GHSA-829...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 5, 2026
Vulnerability Reserved
Nov 17, 2025

JSON

Vega

What is CVE-2025-65110?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.