CVE-2026-49294
Received Received - Intake
Reflected XSS in Valhalla Routing Engine

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-49294
EUVD
EUVD-2026-36741
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
valhalla valhalla to 3.6.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49294 is a reflected Cross-Site Scripting (XSS) vulnerability in the Valhalla routing engine versions up to 3.6.3. It occurs because the JSONP callback parameter is not properly validated or sanitized before being included in the HTTP response body with a Content-Type of application/javascript.

An attacker can craft a malicious URL containing JavaScript code in the JSONP callback parameter. When a victim loads this URL via a <script> tag, the injected script executes in the context of the vulnerable site, potentially compromising the victim's session or credentials.

Impact Analysis

This vulnerability can lead to the execution of arbitrary JavaScript in the victim's browser under the vulnerable site's origin. This can result in session token theft, credential disclosure, or unauthorized actions performed on behalf of the victim.

Detection Guidance

This vulnerability can be detected by checking if the Valhalla server is reflecting unsanitized input from the JSONP callback parameter in HTTP responses with Content-Type: application/javascript.

One way to detect it is to send a crafted HTTP request to the Valhalla server including a JSONP callback parameter with a unique string or JavaScript code and observe if it is reflected unescaped in the response.

For example, you can use curl to send such a request and inspect the response:

  • curl -i 'http://<valhalla-server>/route?jsonp=alert(1)'

If the response body contains the exact callback parameter value (e.g., alert(1)) without any encoding or validation, the vulnerability is present.

Mitigation Strategies

Immediate mitigation involves implementing strict validation on the JSONP callback parameter to allow only safe characters, such as alphanumeric characters and underscores, using a regular expression whitelist.

If you are running a vulnerable version (3.6.3 or prior), consider upgrading to a fixed version once available.

As a temporary workaround, you can disable JSONP support or block requests containing the JSONP callback parameter at the web server or firewall level.

Additionally, educate users to avoid loading untrusted URLs that include JSONP callbacks from your Valhalla instance.

Compliance Impact

The vulnerability is a reflected Cross-Site Scripting (XSS) issue that can lead to session token theft, credential disclosure, or unauthorized actions performed on behalf of the victim.

Such security weaknesses can potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user credentials to prevent unauthorized access and data breaches.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49294. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart