CVE-2025-69993

Name of the Vulnerable Software and Affected Versions Leaflet versions prior to 1.9.5

Description Cross-Site Scripting (XSS) occurs via the bindPopup() function. This function renders user-supplied input as raw HTML without sanitization, which allows the injection of arbitrary JavaScript code through event handler attributes. The malicious script executes in the context of the victim's browser session when they view an affected map popup.

Recommendations Update to version 1.9.5 or later. As a temporary workaround, consider restricting the use of the bindPopup() function until the update is applied.