Description
Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication.
Published: 2026-06-15
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Valhalla routing engine versions up to 3.6.3 include a reflected cross‑site scripting flaw caused by an unsanitized JSONP callback parameter. The callback value is echoed directly into an application/javascript response without validation, encoding, or whitelist filtering, allowing an attacker to inject arbitrary JavaScript. When a victim loads a crafted URL through a <script src="..."> tag, the injected code executes with the Valhalla server’s origin context, potentially enabling session cookie theft, credential disclosure, or the execution of actions on behalf of the user. This vulnerability is classified as CWE‑79.

Affected Systems

The affected product is Valhalla, an open‑source routing engine and library set designed for use with OpenStreetMap data. Vulnerable releases extend through version 3.6.3; any install of Valhalla 3.6.3 or older is susceptible. No additional vendor or version details are provided beyond the CNA listing of valhalla:valhalla.

Risk and Exploitability

The CVSS score of 6.1 suggests moderate severity, while the EPSS score of less than 1% indicates a low probability of active exploitation at the time of publication. Valhalla is not listed in the CISA KEV catalog. Exploitation requires an unprivileged attacker to lure a victim into loading a malicious JSONP URL. Based on the description, it is inferred that an attacker may convey the malicious URL through phishing emails or malicious web pages that embed a <script src="..."> tag pointing to the vulnerable endpoint. Once the victim’s browser executes the injected script under the Valhalla origin, arbitrary client‑side code runs with the victim’s privileges.

Generated by OpenCVE AI on June 18, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Valhalla to a release that validates JSONP callback inputs and removes the vulnerability.
  • If an upgrade cannot be performed immediately, disable or restrict the JSONP callback feature by rejecting requests containing a callback parameter or by enforcing a whitelist of safe callback names.
  • Implement server‑side validation that permits only safe characters (alphanumeric, underscore, dot) in the callback parameter, rejecting any other input to block reflected script injection.
  • Deploy a strict Content Security Policy on the Valhalla server that disallows inline scripts and restricts script sources to trusted domains, mitigating the impact of any remaining reflected XSS.

Generated by OpenCVE AI on June 18, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Valhalla
Valhalla valhalla
Vendors & Products Valhalla
Valhalla valhalla

Mon, 15 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication.
Title Valhalla has reflected XSS via unsanitized JSONP callback parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


Subscriptions

Valhalla Valhalla
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-15T19:23:54.236Z

Reserved: 2026-05-28T20:07:58.862Z

Link: CVE-2026-49294

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-15T18:16:35.460

Modified: 2026-06-16T15:51:29.037

Link: CVE-2026-49294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:08:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')