Sorry for taking the time with this report.
This is already publicly disclosed issue at -https://github.com/makeusabrew/bootbox/issues/661
In essence all dialogs of bootbox vulnurable to XSS injections ( bootbox.alert("\<script\>alert(1);\</script\>"); )
This is apparently a feature to allow injecting HTML in messages but it is not very clear from the documentation.
Even though this issue has been reported for a while no changes were made to fix this issue or even update the documentation
Websites using bootbox to display messages containing user input are vulnerable to XSS