CVE-2025-66648: `vega-functions` vulnerable to Cross-site Scripting via `setdata` function

January 5, 2026 (updated January 6, 2026)

For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS).

References

github.com/advisories/GHSA-m9rg-mr6g-75gm
github.com/vega/vega
github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm
nvd.nist.gov/vuln/detail/CVE-2025-66648

Code Behaviors & Features

Detect and mitigate CVE-2025-66648 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →