CVE-2026-57380 in Extensions for Leaflet Map Plugininfo

Summary

by MITRE • 07/13/2026

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hupe13 Extensions for Leaflet Map extensions-leaflet-map allows DOM-Based XSS.This issue affects Extensions for Leaflet Map: from n/a through <= 5.1.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

This cross-site scripting vulnerability stems from improper input neutralization during web page generation within the hupe13 Extensions for Leaflet Map plugin, specifically impacting the extensions-leaflet-map component. The flaw enables dom-based cross-site scripting attacks that can occur when user-supplied data is not properly sanitized before being rendered in web pages. This type of vulnerability falls under CWE-79 which categorizes improper neutralization of input during web page generation as a primary weakness. The attack vector leverages the fact that the plugin fails to adequately process or escape user-provided parameters that are subsequently used in DOM operations, creating opportunities for malicious script execution.

The technical implementation of this vulnerability allows attackers to inject malicious scripts through crafted input parameters that get processed by the leaflet map extension. When legitimate users view pages containing these manipulated inputs, the embedded scripts execute within their browser context, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of victims. The vulnerability exists in versions from n/a through 5.1, indicating a widespread impact across multiple releases where input validation mechanisms were insufficiently implemented. This dom-based xss variant is particularly concerning because it can be executed solely through manipulation of the document url without requiring server-side processing or database injection.

The operational impact of this vulnerability extends beyond simple script execution to potentially compromise entire user sessions and sensitive data exposure. Attackers can exploit this weakness to steal cookies, access user accounts, modify page content, or redirect users to malicious sites. The vulnerability affects any web application utilizing the affected leaflet map extension where user input is processed without proper sanitization. According to ATT&CK framework category T1059.007 for command and scripting interpreter, this vulnerability enables adversaries to execute arbitrary code in victim browsers through client-side script injection techniques.

Mitigation strategies should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application stack. The most effective approach involves sanitizing all user-provided data before rendering it in web pages using established libraries such as DOMPurify or similar html sanitization tools. Additionally, developers should implement content security policies that restrict script execution contexts and employ proper escaping techniques for dynamic content insertion. The plugin should be updated to version 5.2 or later where the vulnerability has been addressed through improved input validation controls. Security headers including X-Content-Type-Options and X-Frame-Options should also be implemented to provide additional defense layers against exploitation attempts. Regular security code reviews and automated vulnerability scanning should be integrated into development workflows to prevent similar issues in future releases.

Responsible

Patchstack

Reservation

06/24/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!