PatchSiren cyber security CVE debrief
CVE-2026-49294 valhalla CVE debrief
CVE-2026-49294 is a reflected cross-site scripting (XSS) vulnerability in Valhalla, an open-source routing engine and accompanying libraries for use with OpenStreetMap data. The vulnerability affects versions 3.6.3 and prior. The issue arises from improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src='...'> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim.
- Vendor
- valhalla
- Product
- Unknown
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of Valhalla versions 3.6.3 and prior should be aware of this vulnerability and take necessary precautions to mitigate the risk.
Technical summary
The vulnerability has a CVSS score of 6.1 and a severity rating of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The weakness is classified as CWE-79.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a version of Valhalla that is not vulnerable.
- Use a Content Security Policy (CSP) to define which sources of content are allowed to be executed within a web page.
- Implement input validation and output encoding for the JSONP callback parameter.
Evidence notes
The CVE record was published on 2026-06-15T18:16:35.460Z and has not been modified since then. The vulnerability was reported via a security advisory on GitHub.
Official resources
-
CVE-2026-49294 CVE record
CVE.org
-
CVE-2026-49294 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-49294 was published on 2026-06-15T18:16:35.460Z.