CVE-2026-28499 PUBLISHED

LeafKit's HTML escaping may be skipped for Collection values, enabling XSS

Assigner: GitHub_M
Reserved: 27.02.2026 Published: 18.03.2026 Updated: 18.03.2026

LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via #(value). This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor vapor
Product leaf-kit
Versions
  • Version < 1.14.2 is affected

References

Problem Types

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE
  • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE
  • CWE-116: Improper Encoding or Escaping of Output CWE