Skip to main content

Apache ECharts EUVDEUVD-2026-31650

| CVE-2026-45249 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-25 apache GHSA-fgmj-fm8m-jvvx
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 08, 2026 - 11:40 vuln.today
Analysis Generated
Jun 08, 2026 - 11:40 vuln.today
CVSS changed
May 26, 2026 - 17:22 NVD
6.1 (MEDIUM)
CVE Published
May 25, 2026 - 07:38 nvd
MEDIUM 6.1
CVE Published
May 25, 2026 - 07:38 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 606 npm packages depend on echarts (440 direct, 176 indirect)

Ecosystem-wide dependent count for version 6.1.0.

DescriptionCVE.org

A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic.

This issue affects Apache ECharts: from before 6.1.0.

In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and series.data[i].name is specified, raw HTML string series.data[i].name can be rendered through innerHTML sink into tooltip content. Although tooltip is allowed to accept user-provided raw HTML via a custom tooltip.formatter, the built-in tooltip formatters conventionally perform HTML escaping automatically. This case breaks that convention and may unexpectedly lead to script execution when tooltips are displayed.

Users are recommended to upgrade to version 6.1.0 if using the Lines series in this way, which fixes the issue.

AnalysisAI

Cross-site scripting in Apache ECharts before 6.1.0 allows remote unauthenticated attackers to inject and execute arbitrary HTML and JavaScript in a victim's browser via the Lines series tooltip rendering path. When an application uses the Lines series with tooltips enabled, omits a custom tooltip.formatter, and populates series.data[i].name with attacker-influenced data, ECharts passes the raw name string through an innerHTML sink rather than applying the HTML escaping that all other built-in tooltip formatters perform. No public exploit is identified at time of analysis and EPSS is 0.03% (10th percentile), but the GitHub PR fixing this issue includes a working test case demonstrating script execution via a crafted name payload.

Technical ContextAI

Apache ECharts is an open-source JavaScript visualization library (CPE: cpe:2.3:a:apache_software_foundation:apache_echarts:*:*:*:*:*:*:*:*). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically an innerHTML sink in the Lines series tooltip formatting code in src/chart/lines/LinesSeries.ts. Prior to the fix in PR #21608, the getDefaultTooltipContent method returned series.data[i].name directly as a raw string, which the tooltip subsystem then injected via innerHTML without sanitization. All other built-in ECharts tooltip formatters apply HTML escaping by convention, but the Lines series code path lacked this step, creating an inconsistency that constitutes the vulnerability. The fix restructures the returned data object to include explicit name and value fields, enabling proper downstream escaping. The affected Lines series is used to render polyline or route data on geographic or Cartesian coordinate systems and is commonly used in map-overlay visualizations.

RemediationAI

Upgrade Apache ECharts to version 6.1.0, which contains the fix committed in GitHub PR #21608 (https://github.com/apache/echarts/pull/21608). This is the primary and recommended remediation per the Apache advisory at https://lists.apache.org/thread/1g6xk7gd9vg1c6zyqqt2lnko10zomc3o. If an immediate upgrade is not feasible, a targeted workaround is to supply a custom tooltip.formatter for any Lines series that renders user-influenced data - since custom formatters are responsible for their own output and can perform explicit HTML escaping (e.g., using a utility such as DOMPurify or a simple entity-encoder), this prevents the vulnerable built-in path from executing. A second workaround is to sanitize all values assigned to series.data[i].name on the server side before they reach the browser, stripping or encoding HTML characters; this adds defense-in-depth regardless of upgrade status but requires discipline across all data pipelines. Disabling tooltips globally is effective but eliminates useful UX. The Apache security best-practices guide at https://echarts.apache.org/handbook/en/best-practices/security/#passing_raw_html_safely provides additional guidance on safe HTML handling in ECharts.

Share

EUVD-2026-31650 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy