CVE-2025-69993 - Vulnerability Details

- Leaflet: Leaflet: Cross-Site Scripting (XSS) via unsanitized input in bindPopup() method

Description

Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session.

Published: 2026-04-14

Score: 6.1 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Leaflet’s bindPopup() method renders any string passed to it as raw HTML inside a popup without sanitization, allowing an attacker to inject HTML elements that carry event handler attributes such as onerror. When a user opens the popup, the embedded JavaScript executes in the context of the web application, enabling the attacker to steal cookies, hijack sessions, or perform further malicious actions. This results in compromised confidentiality and integrity of data processed by the application.

Affected Systems

All web applications that use the open‑source Leaflet mapping library with a version up to and including 1.9.4 are affected. The flaw applies to any vendor or project that ships or incorporates these releases, regardless of deployment environment. Upgrading to a version newer than 1.9.4 removes the vulnerability.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity, and the absence of an EPSS score means the likelihood of exploitation is uncertain. Exploitation requires that the attacker can insert untrusted content into a popup, a scenario common in applications that display dynamic user data in map popups. The attack is client‑side and does not require special privileges; however, it can lead to significant damage if users load malicious content. The vulnerability is not currently listed in the CISA KEV catalog, suggesting no large‑scale public exploits have been documented yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Leaflet to a version newer than 1.9.4.
If upgrading is not immediately possible, sanitize any user‑supplied data before passing it to bindPopup by removing event handler attributes and other executable content.
Validate or escape popup content to prevent embedded JavaScript from executing in the browser.

Generated by OpenCVE AI on April 14, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
http://leaflet.com
https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md
https://nvd.nist.gov/vuln/detail/CVE-2025-69993
https://www.cve.org/CVERecord?id=CVE-2025-69993

History

Wed, 15 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title	Cross‑Site Scripting via Unfiltered Popup Content in Leaflet ≤1.9.4	Leaflet: Leaflet: Cross-Site Scripting (XSS) via unsanitized input in bindPopup() method
References		https://nvd.nist.gov/vuln/detail/CVE-2025-69993 https://www.cve.org/CVERecord?id=CVE-2025-69993
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 14 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title		Cross‑Site Scripting via Unfiltered Popup Content in Leaflet ≤1.9.4
Weaknesses		CWE-79

Tue, 14 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session.
References		http://leaflet.com https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-14T00:00:00.000Z

Updated: 2026-04-14T17:45:26.763Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69993

Vulnrichment

Updated: 2026-04-14T17:45:21.468Z

NVD

Status : Received

Published: 2026-04-14T15:16:25.477

Modified: 2026-04-14T18:16:41.530

Link: CVE-2025-69993

Redhat

Severity : Moderate

Publid Date: 2026-04-14T00:00:00Z

Links: CVE-2025-69993 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:37:17Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object