Reflected XSS Vulnerability in Valhalla Routing Engine
CVE-2026-49294

6.1MEDIUM

Key Information:

Vendor: Valhalla
Status: Valhalla
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-49294?

Valhalla, an open source routing engine used with OpenStreetMap data, is vulnerable to reflected cross-site scripting (XSS) due to improper handling of user input in the JSONP callback parameter. In versions 3.6.3 and earlier, an attacker can exploit this flaw by crafting a URL that includes malicious JavaScript. When a victim loads this URL, the injected script executes in the context of the user's session, leading to potential session token theft or unauthorized actions performed on their behalf. The vulnerability remains unpatched as of the time of this publication, highlighting the urgency for users to assess their exposure and implement mitigations.

Affected Version(s)

valhalla <= 3.6.3

References

https://github.com/valhalla/valhalla/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
May 28, 2026

CVE-2026-49294 Data

JSON