CVE-2026-28499

LeafKit's HTML escaping may be skipped for Collection values, enabling XSS

CVSS 6.9 MEDIUMEPSS 0.3%CWE-116 CWE-79 CWE-80

In short

LeafKit's template engine fails to properly escape HTML when printing collections (arrays or dictionaries), allowing malicious code to be displayed unescaped in web pages if untrusted data is included.

Technical detail

LeafKit prior to 1.14.2 improperly handles HTML entity encoding for collection-type values in the #(value) template syntax, enabling stored or reflected XSS attacks when user-controlled data is rendered without sanitization. The vulnerability arises from incomplete output encoding logic specific to array and dictionary types.

Summary generated and translated by AI from the official description.

LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via `#(value)`. This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Affected products

vapor · leaf-kit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dc https://github.com/vapor/leaf-kit/releases/tag/1.14.2 https://github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473