{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-69993", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T17:45:26.763Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-04-14T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T14:24:11.633Z"}, "descriptions": [{"lang": "en", "value": "Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror=\"alert('XSS')\">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://leaflet.com"}, {"url": "https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T17:45:03.459489Z", "id": "CVE-2025-69993", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:45:26.763Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69993", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T17:45:03.459489Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:45:21.468Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://leaflet.com"}, {"url": "https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md"}], "descriptions": [{"lang": "en", "value": "Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror=\"alert('XSS')\">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-14T14:24:11.633Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69993", "state": "PUBLISHED", "dateUpdated": "2026-04-14T17:45:26.763Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-14T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror=\"alert('XSS')\">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session."}], "id": "CVE-2025-69993", "lastModified": "2026-04-14T18:16:41.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-14T15:16:25.477", "references": [{"source": "cve@mitre.org", "url": "http://leaflet.com"}, {"source": "cve@mitre.org", "url": "https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-14T16:35:58.223387+00:00", "value": {"mitigation_remediation": ["Upgrade Leaflet to a version newer than 1.9.4.", "If upgrading is not immediately possible, sanitize any user\u2011supplied data before passing it to bindPopup by removing event handler attributes and other executable content.", "Validate or escape popup content to prevent embedded JavaScript from executing in the browser."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting via unsanitized popup content"}, "threat_synthesis": {"affected_systems": "All web applications that use the open\u2011source Leaflet mapping library with a version up to and including 1.9.4 are affected. The flaw applies to any vendor or project that ships or incorporates these releases, regardless of deployment environment. Upgrading to a version newer than 1.9.4 removes the vulnerability.", "description_and_impact": "Leaflet\u2019s bindPopup() method renders any string passed to it as raw HTML inside a popup without sanitization, allowing an attacker to inject HTML elements that carry event handler attributes such as onerror. When a user opens the popup, the embedded JavaScript executes in the context of the web application, enabling the attacker to steal cookies, hijack sessions, or perform further malicious actions. This results in compromised confidentiality and integrity of data processed by the application.", "risk_and_exploitability": "The CVSS score of 6.1 indicates medium severity, and the absence of an EPSS score means the likelihood of exploitation is uncertain. Exploitation requires that the attacker can insert untrusted content into a popup, a scenario common in applications that display dynamic user data in map popups. The attack is client\u2011side and does not require special privileges; however, it can lead to significant damage if users load malicious content. The vulnerability is not currently listed in the CISA KEV catalog, suggesting no large\u2011scale public exploits have been documented yet."}}}}, "created": "2026-04-14T16:37:17.236975+00:00", "title": "Cross\u2011Site Scripting via Unfiltered Popup Content in Leaflet \u22641.9.4", "updated": "2026-04-14T16:37:17.236995+00:00", "vendors": [], "weaknesses": ["CWE-79"]}