Lucene search
+L

9 matches found

redhatcve
redhatcve
added 2026/04/14 6:19 p.m.7 views

CVE-2025-69993

A flaw was found in Leaflet. This Cross-Site Scripting XSS vulnerability exists in the bindPopup method, which fails to sanitize user-supplied input. A remote attacker can exploit this by injecting malicious JavaScript code into map popups. When a victim views an affected map, the injected script...

6.1CVSS5.8AI score0.00191EPSS
Exploits2References5
euvd
euvd
added 2026/04/14 3:30 p.m.5 views

EUVD-2025-209449

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

6.1CVSS5.9AI score0.00191EPSS
Exploits2References3
nvd
nvd
added 2026/04/14 3:16 p.m.4 views

CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

6.1CVSS0.00191EPSS
Exploits2References2
osv
osv
added 2026/04/14 3:16 p.m.5 views

DEBIAN-CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

6.1CVSS5.5AI score0.00191EPSS
Exploits2References1
cve
cve
added 2026/04/14 12:0 a.m.37 views

CVE-2025-69993

Leaflet up to v1.9.4 is affected by Cross‑Site Scripting via bindPopup(), where user input is rendered as raw HTML without sanitization, enabling injected JavaScript through event handler attributes (e.g., ) to execute in a victim’s browser session. A Proof‑of‑Concept exploit is available at the ...

6.1CVSS5.9AI score0.00191EPSS
Exploits2References2Affected Software1
cvelist
cvelist
added 2026/04/14 12:0 a.m.34 views

CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

6.1CVSS0.00191EPSS
Exploits2References2
vulnrichment
vulnrichment
added 2026/04/14 12:0 a.m.2 views

CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

6.1CVSS5.9AI score0.00191EPSS
Exploits2References2
ptsecurity
ptsecurity
added 2026/04/14 12:0 a.m.6 views

PT-2026-32628

Name of the Vulnerable Software and Affected Versions Leaflet versions prior to 1.9.5 Description Cross-Site Scripting XSS occurs via the bindPopup function. This function renders user-supplied input as raw HTML without sanitization, which allows the injection of arbitrary JavaScript code through...

6.1CVSS6.1AI score0.00191EPSS
Exploits2References11
cnnvd
cnnvd
added 2026/04/14 12:0 a.m.24 views

Leaflet 安全漏洞

Leaflet is a lightweight interactive map development library developed by Volodymyr Agafonkin. Versions of Leaflet 1.9.4 and earlier contain security vulnerabilities; these vulnerabilities stem from the bindPopup method not properly cleaning user input, which may lead to cross-site scripting...

6.1CVSS5.6AI score0.00191EPSS
Exploits2References2
Rows per page
Query Builder