Fabre

#1136210 leaflet: CVE-2025-69993 #1136210

Package:: src:leaflet

Source:: src:leaflet

Submitter:: Moritz Mühlenhoff

Date:: 2026-05-11 06:43:06 UTC

Severity:: normal

Tags:

#1136210#5

Date:: 2026-05-10 18:28:24 UTC

From:

To:

Hi,

The following vulnerability was published for leaflet.

CVE-2025-69993[0]:
| Leaflet versions up to and including 1.9.4 are vulnerable to Cross-
| Site Scripting (XSS) via the bindPopup() method. This method renders
| user-supplied input as raw HTML without sanitization, allowing
| attackers to inject arbitrary JavaScript code through event handler
| attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim
| views an affected map popup, the malicious script executes in the
| context of the victim's browser session.

https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-69993
https://www.cve.org/CVERecord?id=CVE-2025-69993

Please adjust the affected versions in the BTS as needed.

#1136210 leaflet: CVE-2025-69993 #1136210

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)