Skip to main content

Leaflet Map CVE-2026-39646

| EUVDEUVD-2026-20307 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 Patchstack GHSA-jggj-35mq-63v8
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20307
Analysis Generated
Apr 08, 2026 - 08:45 vuln.today
CVE Published
Apr 08, 2026 - 08:30 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bozdoz Leaflet Map leaflet-map allows Stored XSS.This issue affects Leaflet Map: from n/a through <= 3.4.4.

AnalysisAI

Stored cross-site scripting (XSS) in bozdoz Leaflet Map WordPress plugin versions up to 3.4.4 allows authenticated attackers with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially leading to session hijacking, credential theft, or website defacement. The vulnerability has a low EPSS score (0.03%, 8th percentile) suggesting minimal real-world exploitation likelihood despite moderate CVSS severity, and no public exploit code or active exploitation has been confirmed.

Technical ContextAI

The vulnerability stems from improper neutralization of user-supplied input during web page generation (CWE-79), a classic stored XSS flaw where the Leaflet Map plugin fails to adequately sanitize or escape user input before rendering it in HTML output. This allows an authenticated user with low-level WordPress permissions (PR:L in CVSS vector) to craft malicious payloads that persist in the application's database. When other users, including administrators, view pages containing the injected content, the JavaScript executes in their browser context with the site's same-origin privileges. The CPE identifier cpe:2.3:a:bozdoz:leaflet_map indicates this affects the bozdoz Leaflet Map product family across all configurations, platforms, and languages in the affected version range.

RemediationAI

Update the bozdoz Leaflet Map plugin to a version newer than 3.4.4 immediately. WordPress administrators should navigate to Plugins → Installed Plugins, locate Leaflet Map, and select 'Update' if a patched version is available in the WordPress.org plugin repository. If no update is yet available from the plugin author, disable the plugin temporarily and consider alternative map embedding solutions until a patch is released. Review plugin access controls and ensure only trusted administrators have permissions to create or modify map content pending a vendor-released patch. The official vulnerability report and patch status can be verified through Patchstack's database entry and the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2026-39646

Share

CVE-2026-39646 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy