Header & Menu
Emergency

Bootstrap 5.1.3 Exploit [NEW]

If user input populates the data-loading-text value without sanitization, this becomes an exploitable XSS vulnerability.

While Snyk and other databases report no direct high-severity CVEs for version 5.1.3 itself, the version is frequently flagged for the following issues:

The most effective fix is to stop using 5.1.3. Bootstrap 5 is still actively maintained. As of 2026, the latest v5.x versions include improved sanitization methods and bug fixes. bootstrap 5.1.3 exploit

Understanding the Bootstrap 5.1.3 Exploit: Analysis and Mitigation

Here's an example of a malicious request that could be used to exploit this vulnerability: If user input populates the data-loading-text value without

If the web application renders this input inside a Bootstrap popover attribute:

Bootstrap's carousel component uses anchor tags with data-slide or data-slide-to attributes to control navigation. The carousel plugin reads the href attribute of these tags. Insufficient sanitization in some versions allowed the href attribute to execute JavaScript when the data-* attribute values came from untrusted sources. As of 2026, the latest v5

The vulnerability in Bootstrap 5.1.3 is primarily classified as a vulnerability, often tracked under identifiers similar to CVE-2021-23337 or related legacy sanitization bypasses. The Root Cause: Sanitizer Bypass

One of the most significant examples of confusion in this space is the widespread but incorrect association of a critical Sophos Firewall vulnerability (CVE-2022-1040) with the Bootstrap framework. This Sophos bug was a remote code execution (RCE) flaw in the firewall’s User Portal and Webadmin that was indeed exploited in the wild as a zero-day. However, it had nothing to do with Bootstrap . The misinformation around this highlights the danger of keyword association and how analysis of a framework must be strictly confined to the framework's code and functionality.

<button id="myButton" data-loading-text="<img src=x onerror=alert('XSS')>" class="btn btn-primary"> Submit </button>

The exploit takes advantage of the way Bootstrap 5.1.3 handles the data-bs-toggle attribute. When a user clicks on an element with this attribute, Bootstrap uses JavaScript to toggle the visibility of another element on the page. However, an attacker can manipulate this attribute to inject malicious code, which is then executed by the browser.