SCA: security update for echarts (GHSA-fgmj-fm8m-jvvx)

medium Tenable Cloud Security Plugin ID 444184

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering
logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines
series and tooltip are used, and no user-specified tooltip.formatter is provided, and series.data[i].name
is specified, raw HTML string series.data[i].name can be rendered through innerHTML sink into tooltip
content. Although tooltip is allowed to accept user-provided raw HTML via a custom tooltip.formatter, the
built-in tooltip formatters conventionally perform HTML escaping automatically. This case breaks that
convention and may unexpectedly lead to script execution when tooltips are displayed. Users are
recommended to upgrade to version 6.1.0 if using the Lines series in this way, which fixes the issue.
(CVE-2026-45249)

Solution

Update the echarts library and its related packages to version 6.1.0 or later.

See Also

https://github.com/advisories/GHSA-fgmj-fm8m-jvvx

Plugin Details

Severity: Medium

ID: 444184

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 6/30/2026

Updated: 6/30/2026

Risk Information

VPR

Risk Factor: Low

Score: 3.8

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-45249

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/26/2026

Vulnerability Publication Date: 5/25/2026

Reference Information

CVE: CVE-2026-45249

cwe: CWE-79