CVE-2025-69993

Leaflet up to v1.9.4 is affected by Cross‑Site Scripting via bindPopup(), where user input is rendered as raw HTML without sanitization, enabling injected JavaScript through event handler attributes (e.g., ) to execute in a victim’s browser session. A Proof‑of‑Concept exploit is available at the ...