Apache Echarts
Monthly
Cross-site scripting in Apache ECharts before 6.1.0 allows remote unauthenticated attackers to inject and execute arbitrary HTML and JavaScript in a victim's browser via the Lines series tooltip rendering path. When an application uses the Lines series with tooltips enabled, omits a custom tooltip.formatter, and populates series.data[i].name with attacker-influenced data, ECharts passes the raw name string through an innerHTML sink rather than applying the HTML escaping that all other built-in tooltip formatters perform. No public exploit is identified at time of analysis and EPSS is 0.03% (10th percentile), but the GitHub PR fixing this issue includes a working test case demonstrating script execution via a crafted name payload.
Cross-site scripting in Apache ECharts before 6.1.0 allows remote unauthenticated attackers to inject and execute arbitrary HTML and JavaScript in a victim's browser via the Lines series tooltip rendering path. When an application uses the Lines series with tooltips enabled, omits a custom tooltip.formatter, and populates series.data[i].name with attacker-influenced data, ECharts passes the raw name string through an innerHTML sink rather than applying the HTML escaping that all other built-in tooltip formatters perform. No public exploit is identified at time of analysis and EPSS is 0.03% (10th percentile), but the GitHub PR fixing this issue includes a working test case demonstrating script execution via a crafted name payload.