CVE-2026-45249
XSS in Apache ECharts Lines Series Tooltip
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | echarts | to 6.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a cross-site scripting (XSS) issue found in Apache ECharts versions before 6.1.0. It occurs in the Lines series tooltip rendering logic when both Lines series and tooltip are used without a user-specified tooltip.formatter, and series.data[i].name contains raw HTML. In this case, the raw HTML string in series.data[i].name is rendered directly into the tooltip content using innerHTML without proper escaping, which can lead to unexpected script execution when tooltips are displayed.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary scripts in the context of the affected application by injecting malicious HTML or JavaScript into the series.data[i].name field. When the tooltip displays this data, the malicious script can run, potentially leading to unauthorized actions such as stealing user information, session hijacking, or defacing the user interface.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache ECharts to version 6.1.0 or later.
This upgrade fixes the issue related to the Lines series tooltip rendering logic that could lead to cross-site scripting (XSS).