CVE-2026-1513: billboard.js is vulnerable to XSS during chart option binding

January 28, 2026

billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.

References

cve.naver.com/detail/cve-2026-1513.html
github.com/advisories/GHSA-rpc5-pm7q-hjmp
github.com/naver/billboard.js
github.com/naver/billboard.js/commit/49e079cdd466fc8ba7ab208988181e5b7a5f336b
github.com/naver/billboard.js/issues/4078
nvd.nist.gov/vuln/detail/CVE-2026-1513

Code Behaviors & Features

Detect and mitigate CVE-2026-1513 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →