Skip to main content

Valhalla EUVDEUVD-2026-36741

| CVE-2026-49294 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 GitHub_M
6.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS requiring victim interaction (UI:R); no privileges needed; scope changes to victim browser origin (S:C); confidentiality and integrity limited to session-level data, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 18:29 vuln.today

DescriptionCVE.org

Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication.

AnalysisAI

Reflected XSS in Valhalla's JSONP endpoint allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by crafting a malicious URL containing payload in the callback parameter. All versions through 3.6.3 are affected, and the CVSS scope change (S:C) reflects that execution occurs in the serving origin's context rather than a sandboxed one, enabling session theft and unauthorized actions on authenticated victims. No patch was available at time of publication, and no public exploit code has been identified at time of analysis.

Technical ContextAI

Valhalla is an open-source C++ routing engine (CPE: cpe:2.3:a:valhalla:valhalla:*:*:*:*:*:*:*:*) built on OpenStreetMap data, exposing HTTP APIs for routing and map-matching. It supports JSONP (JSON with Padding), a legacy browser technique for cross-origin data access predating CORS, where the API wraps a JSON response in a caller-supplied JavaScript function name. The flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) occurs because the callback parameter value is written directly into the HTTP response body - with Content-Type: application/javascript - without validation, output encoding, or allowlist filtering. This is a textbook reflected XSS variant: the server acts as an unwilling script host, reflecting attacker-controlled content to victim browsers. The CVSS S:C metric confirms scope change: the vulnerability is on the Valhalla server, but the impact materialises in the victim's browser within the Valhalla origin.

RemediationAI

No vendor-released patch has been identified at time of analysis - the CVE description explicitly states this issue was not fixed at time of publication. Operators should monitor the upstream repository at https://github.com/valhalla/valhalla and the advisory GHSA-85xx-39j8-r56x for patch availability. As immediate compensating controls: disable JSONP support entirely at the application or reverse-proxy layer if CORS is a viable alternative for cross-origin consumers, since modern browsers universally support CORS and JSONP is a legacy pattern. If disabling JSONP is not feasible, deploy a Web Application Firewall (WAF) rule to validate that the callback parameter matches a strict alphanumeric allowlist (e.g., [a-zA-Z0-9_]{1,64}) and reject or strip any request that does not conform - note this introduces a risk of breaking legitimate integrations that use non-standard callback names. Additionally, restrict network access to the Valhalla API to trusted internal networks where possible, reducing the pool of potential attackers who can deliver crafted URLs. None of these controls address the root cause; patching remains the definitive fix.

Share

EUVD-2026-36741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy