CVE-2026-45249

MEDIUM EPSS 50.6%
Published May 25, 20261mo ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published May 25, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and series.data[i].name is specified, raw HTML string series.data[i].name can be rendered through innerHTML sink into tooltip content. Although tooltip is allowed to accept user-provided raw HTML via a custom tooltip.formatter, the built-in tooltip formatters conventionally perform HTML escaping automatically. This case breaks that convention and may unexpectedly lead to script execution when tooltips are displayed. Users are recommended to upgrade to version 6.1.0 if using the Lines series in this way, which fixes the issue.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
50.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
apacheecharts* <6.1.0

References 5

  • openwall.com http://www.openwall.com/lists/oss-security/2026/05/23/4
    Mailing ListThird Party Advisory
  • echarts.apache.org https://echarts.apache.org/en/option.html#series-lines
    Product
  • echarts.apache.org https://echarts.apache.org/handbook/en/best-practices/security/#passing_raw_html_safely
    Product
  • github.com https://github.com/apache/echarts/pull/21608
    Issue TrackingPatch
  • lists.apache.org https://lists.apache.org/thread/1g6xk7gd9vg1c6zyqqt2lnko10zomc3o
    Mailing ListVendor Advisory

Remediation

  • github.com https://github.com/apache/echarts/pull/21608
    Issue TrackingPatch