Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

Severity:: Medium

Description

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin.

Recommendation

No fix is available yet. Followings are affected versions:

>= 1.4.0, <= 3.4.1

References

GHSA-vxmc-5x29-h64v
www.herodevs.com
lists.debian.org
CVE-2024-6485
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Bootstrap Cross-site Scripting vulnerability (GHSA-pj7m-g53m-7638) - CVE-2018-14041
sanitize-html is vulnerable to XSS through incomprehensive sanitization - CVE-2019-25225
react-native-keys insecurely stores encryption cipher and Base64 chunks - CVE-2025-45001
nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR - CVE-2024-34343

Tags:: npm; bootstrap

Anything's wrong? Let us know Last updated on November 03, 2025