Description
A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic.




This issue affects Apache ECharts: from before 6.1.0.

In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and series.data[i].name is specified, raw HTML string series.data[i].name can be rendered through innerHTML sink into tooltip content. Although tooltip is allowed to accept user-provided raw HTML via a custom tooltip.formatter, the built-in tooltip formatters conventionally perform HTML escaping automatically. This case breaks that convention and may unexpectedly lead to script execution when tooltips are displayed.


Users are recommended to upgrade to version 6.1.0 if using the Lines series in this way, which fixes the issue.
Published: 2026-05-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache ECharts contains an XSS flaw in the Lines series tooltip rendering logic. When a Lines series is used together with the tooltip component, and the user does not supply a custom tooltip.formatter, the series data name can be rendered directly into the tooltip content via innerHTML. Because the built‑in tooltip formatters automatically escape HTML, this case negates that safeguard and may allow a malicious script contained in the series data name to execute in the browser when the tooltip is displayed.

Affected Systems

The vulnerability affects all releases of Apache ECharts prior to version 6.1.0 that use the Lines series with a tooltip and without a custom formatter. The flaw is triggered only when the series data includes a name field containing a raw HTML string.

Risk and Exploitability

The flaw is a classic XSS weakness (CWE‑79) that can cause arbitrary script execution in the client’s browser when the attacker can supply a series data name containing a script. The CVSS score is 6.1 and the EPSS score is < 1%; the vulnerability is not listed in the CISA KEV catalog. The potential impact is that an attacker who can inject content into the data source can run scripts with the privileges of the user viewing the chart.

Generated by OpenCVE AI on May 26, 2026 at 18:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Apache ECharts to version 6.1.0 or later to apply the fix.
  • If an upgrade cannot be performed immediately, ensure that any series data name used in the tooltip is sanitized or that a custom tooltip.formatter is provided that properly escapes HTML content.
  • Audit the application code and dependencies to confirm that no other ECharts components expose similar rendering sinks and apply the latest secure releases for all libraries.

Generated by OpenCVE AI on May 26, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:echarts:*:*:*:*:*:*:*:*

Tue, 26 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache echarts
Vendors & Products Apache
Apache echarts

Mon, 25 May 2026 08:15:00 +0000

Type Values Removed Values Added
Description A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and series.data[i].name is specified, raw HTML string series.data[i].name can be rendered through innerHTML sink into tooltip content. Although tooltip is allowed to accept user-provided raw HTML via a custom tooltip.formatter, the built-in tooltip formatters conventionally perform HTML escaping automatically. This case breaks that convention and may unexpectedly lead to script execution when tooltips are displayed. Users are recommended to upgrade to version 6.1.0 if using the Lines series in this way, which fixes the issue.
Title Apache ECharts: XSS in Lines series tooltip rendering
Weaknesses CWE-79
References

Subscriptions

Apache Echarts
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-26T16:17:41.575Z

Reserved: 2026-05-11T15:02:11.179Z

Link: CVE-2026-45249

cve-icon Vulnrichment

Updated: 2026-05-25T09:23:08.150Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-25T08:16:24.047

Modified: 2026-05-28T13:48:07.777

Link: CVE-2026-45249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T19:00:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')