billboard.js is vulnerable to XSS during chart option binding
billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.
Advisories for Npm/Billboard.js package
2026
2025
billboard.js allows prototype pollution via the function generate
billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.