Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components

Severity:: Medium

Description

Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Bootstrap allows Cross-Site Scripting (XSS). This issue affects Bootstrap version 3.4.1. At time of publication, there is no publicly available patched version.

Recommendation

No fix is available yet. Followings are affected versions:

= 3.4.1

References

GHSA-q58r-hwc8-rm9j
www.herodevs.com
lists.debian.org
CVE-2025-1647
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
@tiptap/extension-link vulnerable to Cross-site Scripting (XSS) - CVE-2025-14284
Bootstrap Vulnerable to Cross-Site Scripting - CVE-2019-8331
Bootstrap Vulnerable to Cross-Site Scripting - bootstrap - CVE-2019-8331

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; bootstrap

Anything's wrong? Let us know Last updated on September 18, 2025