CVE-2025-69993
CVE-2025-69993
Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session.
CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R
Affected products
n/a · n/apublic PoCs found — 1
githubgithub.com/PierfrancescoConti/leaflet-cve-2025-69993★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →