MEDIUM
valhalla
CVE published 2026-06-15
CVE-2026-49294
CVE-2026-49294 is a reflected cross-site scripting (XSS) vulnerability in Valhalla, an open-source routing engine and accompanying libraries for use with OpenStreetMap data. The vulnerability affects versions 3.6.3 and prior. The issue arises from improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP respo [truncated]