CVE-2025-69993
Published: Apr 14, 2026
Modified: Apr 21, 2026
CVSS v3.1
6.1
Description
Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R
Attack Complexity
Attack Vector
Availability
Confidentiality
Integrity
Privileges Required
Scope
User Interaction
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now