Cross-Site Scripting Vulnerability in Apache ECharts Affecting Tooltip Rendering
CVE-2026-45249

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Echarts
Vendor: CVE Published:; 25 May 2026

What is CVE-2026-45249?

A cross-site scripting (XSS) vulnerability exists in Apache ECharts specifically related to the tooltip rendering of the Lines series. If a custom tooltip.formatter is not specified and the data for the Lines series includes raw HTML in series.data[i].name, this can be rendered unsafely through innerHTML, potentially exposing users to script execution when the tooltip is displayed. This flaw compromises the usual HTML escaping behavior of built-in tooltip formatters. To mitigate this risk, it is recommended that users upgrade to version 6.1.0 or later, where this issue has been addressed.

Affected Version(s)

Apache ECharts 0 < 6.1.0

References

https://github.com/apache/echarts/pull/21608

patchtechnical-description

https://echarts.apache.org/en/option.html#series-lines

https://echarts.apache.org/handbook/en/best-practices/sec...

technical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 25, 2026
Vulnerability Reserved
May 11, 2026

Credit

Lakshmikanthan K

CVE-2026-45249 Data

JSON