Elastic Charts Library Exposes CVE-2026-34043 Vulnerability in Core Dependency

A critical security vulnerability has been identified within the `core-3.10.0.tgz` package of the Elastic Charts library. The flaw, tracked as CVE-2026-34043 with a CVSS score of 5.9 (Medium severity), originates from a vulnerable version of the `serialize-javascript` dependency. This vulnerability is present in the current HEAD commit of the project's repository, indicating active codebases may be at immediate risk.

The issue is specifically located in the `/docs/node_modules/serialize-javascript/package.json` file, as flagged by automated security scanning. The vulnerability is directly reachable within the library's core, meaning it can be exploited without requiring complex attack chains. The presence of this flaw in a widely used data visualization library like Elastic Charts raises significant supply chain security concerns for any downstream applications or services that depend on this package.

While a remediation path exists—a fixed version of the core library is available—the persistence of this vulnerability in the main development branch signals a potential gap in the project's security patching or dependency update processes. Organizations and developers using this library must urgently verify their dependency trees and apply the available fix to mitigate the risk of exploitation, which could lead to data manipulation or unauthorized access in affected systems.