What is the CVSS score of CVE-2025-66648?

CVE-2025-66648 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Vega Functions are affected by CVE-2025-66648?

CVE-2025-66648 presents moderate security risk, a cross-site scripting vulnerability rated CVSS 7.2.. A patch is available.

Is there a public PoC exploit available for CVE-2025-66648?

Yes, a public proof-of-concept exploit is available for CVE-2025-66648. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-66648?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Verify anti-CSRF tokens and content security policies are enforced.

Vega Functions CVE-2025-66648

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-01-05 security-advisories@github.com

GHSA-m9rg-mr6g-75gm

XSS Vega Functions Red Hat

7.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.2 HIGH

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Red Hat

7.2 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 05, 2026 - 21:27 vuln.today

Public exploit code

CVE Published

Jan 05, 2026 - 22:15 nvd

HIGH 7.2

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

118 npm packages depend on vega-functions (3 direct, 117 indirect)

Ecosystem-wide dependent count for version 6.1.1.

DescriptionGitHub Advisory

vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions 6.1.1. There is no workaround besides upgrading. Using vega.expressionInterpreter as described in CSP safe mode does not prevent this issue.

AnalysisAI

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Vega-Functions. vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions 6.1.1. There is no workaround besides upgrading. Using vega.expressionInterpreter as described in CSP safe mode does not prevent this issue.

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Vendor StatusVendor

CVE-2025-66648 vulnerability details – vuln.today

Back

Vega Functions CVE-2025-66648

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

Blast Radius

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

Share

External POC / Exploit Code