PatchSiren cyber security CVE debrief

CVE-2026-45249 Apache Software Foundation CVE debrief

A stored cross-site scripting (XSS) vulnerability exists in Apache ECharts versions prior to 6.1.0, specifically within the Lines series tooltip rendering logic. The issue occurs when the Lines series is used with tooltips enabled, no custom tooltip.formatter is specified, and series.data[i].name contains attacker-controlled HTML. In this configuration, the built-in tooltip formatter fails to escape the name value, rendering it through innerHTML and enabling arbitrary script execution when a user hovers over affected data points. While ECharts conventionally escapes HTML in built-in formatters and allows intentional raw HTML only through explicit custom formatters, this specific code path bypasses that protection. The vulnerability requires user interaction (tooltip hover) and can affect confidentiality and integrity within the browser context. Apache has released version 6.1.0 to address this issue.

Vendor: Apache Software Foundation
Product: Apache ECharts
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-25
Original CVE updated: 2026-05-26
Advisory published: 2026-05-25
Advisory updated: 2026-05-26

Who should care

Organizations using Apache ECharts versions prior to 6.1.0 with Lines series visualizations, particularly those displaying dynamic or user-contributed data in series names. Web application developers, security engineers, and data visualization teams should prioritize this update if their applications render external data in ECharts Lines series tooltips.

Technical summary

The vulnerability resides in the default tooltip formatter for the Lines series in Apache ECharts. When series.data[i].name is populated with untrusted data and no custom tooltip.formatter is provided, the value is inserted directly into the DOM via innerHTML without HTML entity encoding. This creates a stored XSS condition that executes when users interact with chart tooltips. The attack vector is network-based with low attack complexity, requiring no privileges but user interaction (tooltip hover). The scope is changed due to JavaScript execution context, with low impact to confidentiality and integrity. The fix in 6.1.0 ensures proper HTML escaping in the built-in Lines series tooltip formatter, restoring consistency with other series types.

Defensive priority

medium

Recommended defensive actions

Upgrade Apache ECharts to version 6.1.0 or later if using Lines series with tooltips and series.data[i].name values derived from untrusted sources
If immediate upgrade is not feasible, implement a custom tooltip.formatter that explicitly escapes HTML content for Lines series data points
Audit existing Lines series configurations to identify any use of dynamic or user-supplied data in series.data[i].name fields
Review application data flows to ensure series.data[i].name values are sanitized before being passed to ECharts configuration objects
Monitor for suspicious tooltip interactions in applications using affected ECharts versions, particularly where Lines series display external or user-contributed data

Evidence notes

CVE description confirms XSS in Lines series tooltip rendering when series.data[i].name is rendered via innerHTML without escaping. CVSS 6.1 (MEDIUM) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Fix confirmed in Apache ECharts 6.1.0 via GitHub pull request. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified.

Official resources

CVE-2026-45249 CVE record
CVE.org
CVE-2026-45249 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
af854a3a-2127-422b-91ae-364da2661108

2026-05-25T08:16:24.047Z