CVE-2025-1647

Published May 15, 2025

Last updated a month ago

CVSS medium 5.6
Bootstrap

Overview

Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0.
Source
36c7be3b-2937-45df-85ea-ca7133ea542c
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.6
Impact score
3.4
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity
MEDIUM

Weaknesses

36c7be3b-2937-45df-85ea-ca7133ea542c
CWE-79

Social media

Hype score
Not currently trending

  1. 🚨 CVE Alert: CVE-2025-1647 — XSS in Bootstrap 3 A cross-site scripting vulnerability has been identified in Bootstrap 3’s tooltip and popover components, where unsanitized input can be injected and executed in users’ browsers. Why this matters: ✔️ Affects Bootstrap

    @herodevs

    3 Apr 2026

    244 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  2. CVE-2025-1647 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affe… https://t.co/KKprQOusd3

    @CVEnew

    15 May 2025

    225 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel component, where the data-slide and data-slide-to attributes can be exploited through the href attribute of an <a> tag due to inadequate sanitization. This vulnerability could potentially enable attackers to execute arbitrary JavaScript within the victim's browser.CVE-2024-6531
  2. Rejected reason: This was not a security issue in Bootstrap. Bootstrap’s JavaScript is not intended to sanitize unsafe or intentionally dangerous HTML. As such, the reported behavior fell outside the scope of Bootstrap’s security model, and the associated CVE has been rescinded.CVE-2024-6484
  3. A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.CVE-2024-6485
  4. Bootstrap v3.1.11 and v3.3.7 was discovered to contain a cross-site scripting (XSS) vulnerability via the Title parameter in /vendor/views/add_product.php.CVE-2022-26624
  5. Bootstrap Package is a theme for TYPO3. It has been discovered that rendering content in the website frontend is vulnerable to cross-site scripting. A valid backend user account is needed to exploit this vulnerability. Users of the extension, who have overwritten the affected templates with custom code must manually apply the security fix. Update to version 7.1.2, 8.0.8, 9.1.4, 10.0.10 or 11.0.3 of the Bootstrap Package that fix the problem described. Updated version are available from the TYPO3 extension manager, Packagist and at https://extensions.typo3.org/extension/download/bootstrap_package/.CVE-2021-21365

References

Sources include official advisories and independent security research.