None severityNVD Advisory· Published Mar 16, 2026· Updated Apr 16, 2026

CVE-2026-32732

Description

Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@leanprover/unicode-input-componentnpm	< 0.2.0	0.2.0

Affected products

Leanprover/Vscode Lean4references

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-6ggm-pwr9-r5h2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-32732ghsaADVISORY
github.com/leanprover/vscode-lean4/pull/735nvdWEB
github.com/leanprover/vscode-lean4/security/advisories/GHSA-6ggm-pwr9-r5h2nvdWEB
leanprover.zulipchat.comnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000