{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-69993", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T17:36:25.753Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T17:36:25.753Z"}, "descriptions": [{"lang": "en", "value": "Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror=\"alert('XSS')\">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md"}, {"url": "https://leafletjs.com/"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T17:45:03.459489Z", "id": "CVE-2025-69993", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:45:26.763Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69993", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T17:45:03.459489Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:45:21.468Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md"}, {"url": "https://leafletjs.com/"}], "descriptions": [{"lang": "en", "value": "Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror=\"alert('XSS')\">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T17:36:25.753Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69993", "state": "PUBLISHED", "dateUpdated": "2026-04-21T17:36:25.753Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:leafletjs:leaflet:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "840C3800-3D9A-4B7A-96E4-390841CE2AB2", "versionEndIncluding": "1.9.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror=\"alert('XSS')\">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session."}], "id": "CVE-2025-69993", "lastModified": "2026-04-21T18:16:19.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-14T15:16:25.477", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md"}, {"source": "cve@mitre.org", "url": "https://leafletjs.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Leaflet: Leaflet: Cross-Site Scripting (XSS) via unsanitized input in bindPopup() method", "id": "2458210", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458210"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in Leaflet. This Cross-Site Scripting (XSS) vulnerability exists in the bindPopup() method, which fails to sanitize user-supplied input. A remote attacker can exploit this by injecting malicious JavaScript code into map popups. When a victim views an affected map, the injected script executes in their browser, potentially leading to information disclosure or other client-side attacks."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-69993", "package_state": [{"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-mlflow-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-04-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-69993\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-69993\nhttp://leaflet.com\nhttps://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md"], "statement": "There's a Moderate severity flaw in the `bindPopup()` method in Leaflet does not sanitize user-supplied input, allowing an attacker to inject malicious JavaScript. If the application accepts an user controlled input further used by Leaflet the attacker may inject raw HTML tags, achieving a stored XSS attack.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.4]"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "leaflet", "vendor": "leaflet"}], "analysis": {"en": {"generated_at": "2026-04-14T16:35:58.223387+00:00", "value": {"mitigation_remediation": ["Upgrade Leaflet to a version newer than 1.9.4.", "If upgrading is not immediately possible, sanitize any user\u2011supplied data before passing it to bindPopup by removing event handler attributes and other executable content.", "Validate or escape popup content to prevent embedded JavaScript from executing in the browser."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting via unsanitized popup content"}, "threat_synthesis": {"affected_systems": "All web applications that use the open\u2011source Leaflet mapping library with a version up to and including 1.9.4 are affected. The flaw applies to any vendor or project that ships or incorporates these releases, regardless of deployment environment. Upgrading to a version newer than 1.9.4 removes the vulnerability.", "description_and_impact": "Leaflet\u2019s bindPopup() method renders any string passed to it as raw HTML inside a popup without sanitization, allowing an attacker to inject HTML elements that carry event handler attributes such as onerror. When a user opens the popup, the embedded JavaScript executes in the context of the web application, enabling the attacker to steal cookies, hijack sessions, or perform further malicious actions. This results in compromised confidentiality and integrity of data processed by the application.", "risk_and_exploitability": "The CVSS score of 6.1 indicates medium severity, and the absence of an EPSS score means the likelihood of exploitation is uncertain. Exploitation requires that the attacker can insert untrusted content into a popup, a scenario common in applications that display dynamic user data in map popups. The attack is client\u2011side and does not require special privileges; however, it can lead to significant damage if users load malicious content. The vulnerability is not currently listed in the CISA KEV catalog, suggesting no large\u2011scale public exploits have been documented yet."}}}}, "created": "2026-04-14T16:37:17.236975+00:00", "title": "Cross\u2011Site Scripting via Unfiltered Popup Content in Leaflet \u22641.9.4", "updated": "2026-04-15T21:03:03.352745+00:00", "vendors": ["leaflet", "leaflet$PRODUCT$leaflet"], "weaknesses": ["CWE-79"]}