Malicious code in @antv/l7-leaflet (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4042 Malicious code in @antv/l7-leaflet (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Linux Distros Unpatched Vulnerability : CVE-2025-69993

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw...

CVE-2025-69993

A flaw was found in Leaflet. This Cross-Site Scripting XSS vulnerability exists in the bindPopup method, which fails to sanitize user-supplied input. A remote attacker can exploit this by injecting malicious JavaScript code into map popups. When a victim views an affected map, the injected script...

Cross-site Scripting (XSS)

Overview org.webjars.npm:leaflet is a JavaScript library for mobile-friendly interactive maps Affected versions of this package are vulnerable to Cross-site Scripting XSS via the bindPopup method. An attacker can execute arbitrary JavaScript code in the context of a user's browser session by...

Cross-site Scripting (XSS)

Overview leaflet is a JavaScript library for mobile-friendly interactive maps Affected versions of this package are vulnerable to Cross-site Scripting XSS via the bindPopup method. An attacker can execute arbitrary JavaScript code in the context of a user's browser session by injecting malicious...

de.digitalcollections:iiif-bookshelf-webapp (>=2.6.2 <=3.1.0), de.digitalcollections:iiif-server-demo (>=2.1.3 <=4.0.6) +24 more potentially affected by CVE-2025-69993 via org.webjars.npm:leaflet (>=0.7.7 <=2.0.0-alpha.1)

org.webjars.npm:leaflet MAVEN version =0.7.7, =2.6.2, =2.1.3, =0.9.0, =1.0.3, =1.2.0, =2.4.0 and more Source cves: CVE-2025-69993 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-16427277...

2gis-maps (>=2.2.4 <=4.0.12), 2ndlogiccomponents (>=1.1.0 <=1.5.0) +3038 more potentially affected by CVE-2025-69993 via leaflet (>=0.5.1 <=2.0.0-alpha.1)

leaflet NPM version =0.5.1, =2.2.4, =1.1.0, =1.0.44, =5.4.0-pre.1, =5.4.0-pre.1, =0.0.1, =1.6.1, =1.0.0, =4.0.0, =0.1.0, =0.0.2, =1.0.0, =2.0.1 and more Source cves: CVE-2025-69993 Source advisory: SNYK:JS-LEAFLET-16427276...

EUVD-2025-209449

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

DEBIAN-CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

UBUNTU-CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

Exploit for CVE-2025-69993

Leaflet XSS POC Proof of Concept for CVE-2025-69993 — XSS vul...

CVE-2025-69993

Leaflet up to v1.9.4 is affected by Cross‑Site Scripting via bindPopup(), where user input is rendered as raw HTML without sanitization, enabling injected JavaScript through event handler attributes (e.g., ) to execute in a victim’s browser session. A Proof‑of‑Concept exploit is available at the ...

PT-2026-32628

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

Leaflet 安全漏洞

Leaflet is a lightweight interactive map development library developed by Volodymyr Agafonkin. Versions of Leaflet 1.9.4 and earlier contain security vulnerabilities; these vulnerabilities stem from the bindPopup method not properly cleaning user input, which may lead to cross-site scripting...

CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...

CVE-2025-69993

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting XSS via the bindPopup method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes e.g., . When a victim...