Moderate severityNVD Advisory· Published Mar 18, 2026· Updated Mar 18, 2026
LeafKit's HTML escaping may be skipped for Collection values, enabling XSS
CVE-2026-28499
Description
LeafKit is a templating language with Swift-inspired syntax. Prior to version 1.14.2, HTML escaping doesn't work correctly when a template prints a collection (Array / Dictionary) via #(value). This can result in XSS, allowing potentially untrusted input to be rendered unescaped. Version 1.14.2 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/vapor/leaf-kitSwiftURL | < 1.14.2 | 1.14.2 |
Affected products
2- vapor/leaf-kitv5Range: < 1.14.2
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-6jj5-j4j8-8473ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28499ghsaADVISORY
- github.com/vapor/leaf-kit/commit/6044b844caa858a0c5f2505ac166f5a057c990dcghsax_refsource_MISCWEB
- github.com/vapor/leaf-kit/releases/tag/1.14.2ghsax_refsource_MISCWEB
- github.com/vapor/leaf-kit/security/advisories/GHSA-6jj5-j4j8-8473ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.