CVE-2025-14896
due to insufficient sanitazation in Vega’s `convert()` function when `safeMode` is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitive information.
Vendor
-
Product
-
CWE
Yayın Tarihi
2025-12-18 17:15:47
Güncelleme
2025-12-19 18:00:18
Source Identifier
report@snyk.io
KEV Date Added
-