Leaflet
Monthly
Leaflet through version 1.9.4 allows stored or reflected cross-site scripting (XSS) via the bindPopup() method, which renders user-supplied HTML without sanitization. Network-based attackers can inject malicious JavaScript through event handler attributes in popup content, executing arbitrary code in victims' browser sessions when they interact with affected map popups. No public exploit code or active exploitation has been confirmed at this time, though the vulnerability carries a CVSS 6.1 base score reflecting moderate risk with network-accessible attack surface and user interaction requirement.
Leaflet through version 1.9.4 allows stored or reflected cross-site scripting (XSS) via the bindPopup() method, which renders user-supplied HTML without sanitization. Network-based attackers can inject malicious JavaScript through event handler attributes in popup content, executing arbitrary code in victims' browser sessions when they interact with affected map popups. No public exploit code or active exploitation has been confirmed at this time, though the vulnerability carries a CVSS 6.1 base score reflecting moderate risk with network-accessible attack surface and user interaction requirement.