Versions of pannellum prior to 2.5.6 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize URLs for data URIs, which may allow attackers to execute arbitrary code in a victim's browser.

Recommendation

Upgrade to version 2.5.6 or later.

References

• GHSA-m52x-29pq-w3vv
• https://nvd.nist.gov/vuln/detail/CVE-2019-16763
• GHSA-m52x-29pq-w3vv
• https://www.npmjs.com/advisories/1418
• mpetroff/pannellum@cc2f3d9