CVE-2026-49294

Source
https://cve.org/CVERecord?id=CVE-2026-49294
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49294.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49294
Aliases
  • GHSA-85xx-39j8-r56x
Published
2026-06-15T16:28:04.589Z
Modified
2026-07-15T01:49:00.905366502Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Valhalla has reflected XSS via unsanitized JSONP callback parameter
Details

Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication.

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49294.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/valhalla/valhalla

Affected ranges

Type
GIT
Repo
https://github.com/valhalla/valhalla
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.6.3"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

2.*
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.3.0
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.3.9-rc1
2.4.0
2.4.1
2.4.3
2.4.4
2.4.8
2.4.9
2.5.0
2.6.0
2.6.1
2.7.0
2.7.1
2.7.2
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.2.0
3.2.1
3.3.0
3.4.0
3.5.0
3.5.1
3.6.0
3.6.1
3.6.2
3.6.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49294.json"