Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-45249
Received
More InfoOfficial Page
Source-security@apache.org
View Known Exploited Vulnerability (KEV) details
Published At-25 May, 2026 | 08:16
Updated At-26 May, 2026 | 17:16

A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and series.data[i].name is specified, raw HTML string series.data[i].name can be rendered through innerHTML sink into tooltip content. Although tooltip is allowed to accept user-provided raw HTML via a custom tooltip.formatter, the built-in tooltip formatters conventionally perform HTML escaping automatically. This case breaks that convention and may unexpectedly lead to script execution when tooltips are displayed. Users are recommended to upgrade to version 6.1.0 if using the Lines series in this way, which fixes the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Secondarysecurity@apache.org
CWE ID: CWE-79
Type: Secondary
Source: security@apache.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://echarts.apache.org/en/option.html#series-linessecurity@apache.org
N/A
https://echarts.apache.org/handbook/en/best-practices/security/#passing_raw_html_safelysecurity@apache.org
N/A
https://github.com/apache/echarts/pull/21608security@apache.org
N/A
https://lists.apache.org/thread/1g6xk7gd9vg1c6zyqqt2lnko10zomc3osecurity@apache.org
N/A
http://www.openwall.com/lists/oss-security/2026/05/23/4af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://echarts.apache.org/en/option.html#series-lines
Source: security@apache.org
Resource: N/A
Hyperlink: https://echarts.apache.org/handbook/en/best-practices/security/#passing_raw_html_safely
Source: security@apache.org
Resource: N/A
Hyperlink: https://github.com/apache/echarts/pull/21608
Source: security@apache.org
Resource: N/A
Hyperlink: https://lists.apache.org/thread/1g6xk7gd9vg1c6zyqqt2lnko10zomc3o
Source: security@apache.org
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/05/23/4
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Change History
0Changes found
Details not found