CVE-2026-49294

MEDIUM 6.1

Valhalla has reflected XSS via unsanitized JSONP callback parameter

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication.

CWE	CWE-79
Vendor	valhalla
Product	valhalla
Published	Jun 15, 2026
Last Updated	Jun 15, 2026

Stay Ahead of the Next One

Get instant alerts for valhalla valhalla

Be the first to know when new medium vulnerabilities affecting valhalla valhalla are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

valhalla / valhalla

<= 3.6.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/valhalla/valhalla/security/advisories/GHSA-85xx-39j8-r56x