Skip to main content

Leaflet

1 CVEs product

Monthly

CVE-2025-69993 MEDIUM This Month

Leaflet through version 1.9.4 allows stored or reflected cross-site scripting (XSS) via the bindPopup() method, which renders user-supplied HTML without sanitization. Network-based attackers can inject malicious JavaScript through event handler attributes in popup content, executing arbitrary code in victims' browser sessions when they interact with affected map popups. No public exploit code or active exploitation has been confirmed at this time, though the vulnerability carries a CVSS 6.1 base score reflecting moderate risk with network-accessible attack surface and user interaction requirement.

XSS Leaflet
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
EPSS 0% CVSS 6.1
MEDIUM This Month

Leaflet through version 1.9.4 allows stored or reflected cross-site scripting (XSS) via the bindPopup() method, which renders user-supplied HTML without sanitization. Network-based attackers can inject malicious JavaScript through event handler attributes in popup content, executing arbitrary code in victims' browser sessions when they interact with affected map popups. No public exploit code or active exploitation has been confirmed at this time, though the vulnerability carries a CVSS 6.1 base score reflecting moderate risk with network-accessible attack surface and user interaction requirement.

XSS Leaflet
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy