CVE-2026-45249: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Apache Software Foundation Apache ECharts
A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and series.data[i].name is specified, raw HTML string series.data[i].name can be rendered through innerHTML sink into tooltip content. Although tooltip is allowed to accept user-provided raw HTML via a custom tooltip.formatter, the built-in tooltip formatters conventionally perform HTML escaping automatically. This case breaks that convention and may unexpectedly lead to script execution when tooltips are displayed. Users are recommended to upgrade to version 6.1.0 if using the Lines series in this way, which fixes the issue.
AI Analysis
Technical Summary
Apache ECharts before version 6.1.0 contains a CWE-79 cross-site scripting vulnerability in the Lines series tooltip rendering logic. If both Lines series and tooltip are used without a user-specified tooltip.formatter, and series.data[i].name is set, the raw HTML string in series.data[i].name is inserted via innerHTML into the tooltip content without escaping. This can lead to script execution when tooltips are displayed, violating the expected automatic HTML escaping behavior of built-in tooltip formatters. Upgrading to version 6.1.0 resolves this issue.
Potential Impact
This vulnerability allows an attacker to inject and execute arbitrary scripts in the context of the affected web application’s tooltips when using the Lines series without a custom tooltip formatter. This can lead to typical XSS impacts such as session hijacking, content manipulation, or other malicious actions executed in the victim’s browser. No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
Users should upgrade Apache ECharts to version 6.1.0 or later, where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Until upgraded, avoid using Lines series tooltips without a custom tooltip.formatter that properly escapes or sanitizes series.data[i].name values.
CVE-2026-45249: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Apache Software Foundation Apache ECharts
Description
A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and series.data[i].name is specified, raw HTML string series.data[i].name can be rendered through innerHTML sink into tooltip content. Although tooltip is allowed to accept user-provided raw HTML via a custom tooltip.formatter, the built-in tooltip formatters conventionally perform HTML escaping automatically. This case breaks that convention and may unexpectedly lead to script execution when tooltips are displayed. Users are recommended to upgrade to version 6.1.0 if using the Lines series in this way, which fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache ECharts before version 6.1.0 contains a CWE-79 cross-site scripting vulnerability in the Lines series tooltip rendering logic. If both Lines series and tooltip are used without a user-specified tooltip.formatter, and series.data[i].name is set, the raw HTML string in series.data[i].name is inserted via innerHTML into the tooltip content without escaping. This can lead to script execution when tooltips are displayed, violating the expected automatic HTML escaping behavior of built-in tooltip formatters. Upgrading to version 6.1.0 resolves this issue.
Potential Impact
This vulnerability allows an attacker to inject and execute arbitrary scripts in the context of the affected web application’s tooltips when using the Lines series without a custom tooltip formatter. This can lead to typical XSS impacts such as session hijacking, content manipulation, or other malicious actions executed in the victim’s browser. No known exploits in the wild have been reported as of the publication date.
Mitigation Recommendations
Users should upgrade Apache ECharts to version 6.1.0 or later, where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Until upgraded, avoid using Lines series tooltips without a custom tooltip.formatter that properly escapes or sanitizes series.data[i].name values.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-11T15:02:11.179Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1403d8a5ae1af1aa75455c
Added to database: 5/25/2026, 8:10:00 AM
Last enriched: 5/25/2026, 8:25:27 AM
Last updated: 5/25/2026, 11:07:43 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.