CVE-2025-69993
MEDIUMLeaflet <= 1.9.4 - Cross-Site Scripting via bindPopup() Method
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2025-69993. PoCs published by PierfrancescoConti.
AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2025-69993, demonstrating an XSS vulnerability in Leaflet's bindPopup() method. The included Angular application allows users to input malicious HTML, which is rendered without sanitization, leading to arbitrary JavaScript execution.
Description
Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session.
Exploits (1)
This repository contains a functional proof-of-concept for CVE-2025-69993, demonstrating an XSS vulnerability in Leaflet's bindPopup() method. The included Angular application allows users to input malicious HTML, which is rendered without sanitization, leading to arbitrary JavaScript execution.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N