Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

GHSA-vxmc-5x29-h64v · CVE-2024-6485

Published Jul 11, 2024 · Modified Feb 4, 2026

Description

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-6485
PACKAGE https://github.com/twbs/bootstrap
WEB https://lists.debian.org/debian-lts-announce/2025/04/msg00020.html
WEB https://www.herodevs.com/vulnerability-directory/cve-2024-6485

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes