Home / Vulnerability Intelligence / CVE-2025-69993

CVE-2025-69993 - Vulnerability Analysis

MediumCVSS: 6.1

Last Updated: April 14, 2026

Leaflet - Stored XSS

Published: April 14, 2026Updated: April 14, 2026PoC AvailableRemote Exploitable

Overview

Leaflet <= 1.9.4 contains a stored XSS caused by unsanitized user input in bindPopup() method, letting attackers inject arbitrary JavaScript executed in victim's browser session, exploit requires victim to view malicious popup.

Severity & Score

Severity: Medium

CVSS Score: 6.1

Impact

Attackers can execute arbitrary JavaScript in victim's browser, leading to session hijacking or other malicious actions.

Mitigation

Update to the latest version beyond 1.9.4 where input sanitization is implemented.

References

http://leaflet.com
https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-69993
Severity: Medium
CVSS Score: 6.1
Type: stored_xss
Status: new

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N