Logo
Retour à la veille

CVE-2026-49294

Publié : 15 juin 2026
Modifié : 15 juin 2026
Lien officiel NVD
Score CVSS
6.1
MEDIUM

Description détaillée

Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Références et Patchs

https://github.com/valhalla/valhalla/security/advisories/GHSA-85xx-39j8-r56xhttps://github.com/valhalla/valhalla/security/advisories/GHSA-85xx-39j8-r56x

Dernières Vulnérabilités

CVE-2026-9691

Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.

VOIR DÉTAILS

CVE-2026-52703

Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.

VOIR DÉTAILS

CVE-2026-52702

Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.

VOIR DÉTAILS