Intel

AIKIDO-2026-313132

braintree-web-drop-in is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

25

Low Risk

This Affects:

JSbraintree-web-drop-in
1.0.0 - 1.46.1
Fixed in 1.47.0
Are you affected? Scan for Free

TL;DR

Braintree Drop-in renders payment method details, error messages, and payment option labels by assigning strings to innerHTML and relies on a sanitizeHtml helper that only escapes < and >. Untrusted values such as a vaulted PayPal account email or payment source strings are inserted into the DOM without complete escaping, so embedded markup can execute as script in the merchant checkout page. Before the fix this allows cross-site scripting when such values reach the affected rendering paths. The fix replaces the vulnerable innerHTML writes with textContent, tightens sanitizeHtml to also escape &, ", and ', and sanitizes the PayPal email and payment option values before template insertion.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

braintree-web-drop-in is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.0 - 1.46.1.

How to fix this

Upgrade the braintree-web-drop-in library to the patch version.