Billboard.js versions prior to 3.18.0 allow an attacker to inject arbitrary JavaScript code by providing specially crafted chart option values. The vulnerability arises from inadequate input sanitization during the option binding phase, enabling malicious scripts to run within the context of a page that loads the library. This can compromise user data, session information, or allow further attacks such as phishing or data exfiltration if an attacker can persuade the target to view a page containing the vulnerable library.

The vulnerability affects all implementations of the Naver Billboard.js JavaScript charting library before version 3.18.0. No specific third‑party products or additional module versions are listed, so any web application that includes this library version is potentially exposed.

The CVSS score of 6.1 reflects a medium‑severity flaw with a client‑side attack vector. EPSS indicates a very low likelihood of exploitation (<1%), and the vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog, suggesting it has not yet been widely abused. The attack requires that the victim load a page incorporating the vulnerable library and that the attacker can supply or manipulate the chart option input, making real‑world exploitation likely limited to phishing campaigns or compromised sites. Nevertheless, because the impact is client‑side code execution, it poses significant risks to users who may inadvertently run malicious scripts.