Bootstrap 5 dropped jQuery but still relies on Popper.js for tooltips/popovers. If your site uses an outdated version of Popper.js (e.g., v1.x), that could contain an XSS or prototype pollution bug. Attackers then blame Bootstrap because the exploit chain appears in a Bootstrap component.
The exploit takes advantage of the way Bootstrap 5.1.3 handles the data-bs-toggle attribute. When a user clicks on an element with this attribute, Bootstrap uses JavaScript to toggle the visibility of another element on the page. However, an attacker can manipulate this attribute to inject malicious code, which is then executed by the browser. bootstrap 5.1.3 exploit