2 matches found
CVE-2025-69993
Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...
PT-2026-32628
Name of the Vulnerable Software and Affected Versions Leaflet versions prior to 1.9.5 Description Cross-Site Scripting XSS occurs via the bindPopup function. This function renders user-supplied input as raw HTML without sanitization, which allows the injection of arbitrary JavaScript code through...