Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes
- Severity:
- Medium
Description
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin.
Recommendation
No fix is available yet. Followings are affected versions:
- >= 1.4.0, <= 3.4.1
References
Related Issues
- Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components - CVE-2025-1647
- react-native-keys insecurely stores encryption cipher and Base64 chunks - CVE-2025-45001
- nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR - CVE-2024-34343
- Bootstrap Cross-Site Scripting (XSS) vulnerability - CVE-2024-6531
- Tags:
- npm
- bootstrap
Anything's wrong? Let us know Last updated on September 25, 2025