EXECUTIVE SUMMARY:
CVE-2026-45249 with a CVSS score of 6.1 is a critical cross-site scripting (XSS) vulnerability within the tooltip rendering component of Apache ECharts, a popular JavaScript charting and visualization library. The issue specifically resides within the library's Lines series tooltip rendering logic in versions prior to 6.1.0, where the software fails to sanitize input strings properly, allowing an attacker to run arbitrary code on a user's browser. An attacker can exploit this vulnerability by manipulating user input strings in the tooltip content, requiring minimal access and no authentication, resulting in the capability to steal session tokens or hijack user accounts. If exploited, this vulnerability can lead to significant business impact and consequences, including compromised enterprise environments and potential financial losses. Prerequisites for exploitation include the use of the Lines series in the affected versions of Apache ECharts, and successful exploitation can occur when the browser displays tooltips, making the attack highly damaging and difficult to detect, especially in web applications that rely heavily on visualization and chart rendering.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45249 with a CVSS score of 6.1 is a critical cross-site scripting (XSS) vulnerability within the tooltip rendering component of Apache ECharts, a popular JavaScript charting and visualization library. The issue specifically resides within the library's Lines series tooltip rendering logic in versions prior to 6.1.0, where the software fails to sanitize input strings properly, allowing an attacker to run arbitrary code on a user's browser. An attacker can exploit this vulnerability by manipulating user input strings in the tooltip content, requiring minimal access and no authentication, resulting in the capability to steal session tokens or hijack user accounts. If exploited, this vulnerability can lead to significant business impact and consequences, including compromised enterprise environments and potential financial losses. Prerequisites for exploitation include the use of the Lines series in the affected versions of Apache ECharts, and successful exploitation can occur when the browser displays tooltips, making the attack highly damaging and difficult to detect, especially in web applications that rely heavily on visualization and chart rendering.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Apache ECharts to version 6.1.0.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/apache-echarts-xss-vulnerability-cve-2026-45249/